OpenSSL SSL_CTX_set_default_verify_paths Slow
Jay Foster
jayf0ster at roadrunner.com
Mon Sep 27 15:24:27 UTC 2021
On 9/27/21 7:33 AM, Michael Richardson wrote:
> Jay Foster <jayf0ster at roadrunner.com> wrote:
> > While migrating some applications from OpenSSL 1.0.2 (and 1.1.1) to
> > 3.0.0, I have noticed that the SSL_CTX_set_default_verify_paths()
> > function is much slower in 3.0.0. In 1.0.0 it would take about 0.1
> > seconds and in 3.0.0 it takes over 3 seconds.
>
> Based upon your straces, the time is spend in the OS.
> Are you running this on the same system?
Exact same machine.
> That's still very slow... I wonder if you have a failing disk.
I don't think so. The file system is a UBIFS on nand flash, and it
works with 1.0.2 and 1.1.1. Even 1.1.1 is a *little* bit slower than
1.0.2, but nowhere near as much slower as 3.0.0.
It looks like the OpenSSL library is reading the cert.pem file in 4KB
blocks at a time and doing some processing on the data read. It appears
that this processing is what is taking longer.
>
> --
> ] Never tell me the odds! | ipv6 mesh networks [
> ] Michael Richardson, Sandelman Software Works | IoT architect [
> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
>
More information about the openssl-users
mailing list