-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL::X509::Store#set_default_paths is much slower in v. 0.9.17 than v. 0.9.5 #111
Comments
able to confirm the issue using the Ubuntu standard: /etc/ssl/certs/ca-certificates.crt (about the same size: 274340). the slowness seems to be coming from all the X.509 certificate comparison, there's some potential caching going on but that with comes more memory consumption currently, there's no obvious fix for this, it might need some work looking into the details (such as lightweight BC certificates) and figuring out a smart way to do the lookup/matching. |
I was about to submit this very same issue. We're seeing this having a showstopping impact - 10's of seconds per invocation in a highly concurrent environment. |
@JasonLunn use the Java cacert file instead... It's much faster to parse |
On the AMI of Amazon Linux we use, |
We set this at startup: ENV['SSL_CERT_FILE']='/usr/java/latest/jre/lib/security/cacerts' Its much faster. You can checkout the benchmarks I reported in this issue: jruby/jruby#4238 Look at the bench2.rb file and results EDIT: @JasonLunn |
This has been ported over from jruby/jruby#4238
##bench.rb
##Results
$ jruby --profile.api bench.rb Profiling enabled; ^C shutdown will now dump profile info jruby 1.7.19 (1.9.3p551) 2015-01-29 20786bd on Java HotSpot(TM) 64-Bit Server VM 1.8.0_111-b14 +jit [linux-amd64] jruby-openssl (0.9.5 java) File: ‘/etc/pki/tls/certs/ca-bundle.crt’ Size: 263596 Blocks: 520 IO Block: 4096 regular file Total time: 0.79 total self children calls method ---------------------------------------------------------------- 0.79 0.00 0.79 1 Fixnum#times 0.79 0.79 0.00 10 OpenSSL::X509::Store#set_default_paths 0.00 0.00 0.00 10 Class#new 0.00 0.00 0.00 10 OpenSSL::X509::Store#initialize
$ jruby --profile.api bench.rb Profiling enabled; ^C shutdown will now dump profile info jruby 1.7.19 (1.9.3p551) 2015-01-29 20786bd on Java HotSpot(TM) 64-Bit Server VM 1.8.0_111-b14 +jit [linux-amd64] jruby-openssl (0.9.17 java, 0.9.5 java) File: ‘/etc/pki/tls/certs/ca-bundle.crt’ Size: 263596 Blocks: 520 IO Block: 4096 regular file Total time: 3.07 total self children calls method ---------------------------------------------------------------- 3.07 0.00 3.07 1 Fixnum#times 3.06 3.06 0.00 10 OpenSSL::X509::Store#set_default_paths 0.00 0.00 0.00 10 Class#new 0.00 0.00 0.00 10 OpenSSL::X509::Store#initialize
And for the sake of completeness... same issue in jruby 9.1.5.0
Want to see this issue resolved? Post a bounty on it! We accept bounties via Bountysource.
--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/38896190-openssl-x509-store-set_default_paths-is-much-slower-in-v-0-9-17-than-v-0-9-5?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).The text was updated successfully, but these errors were encountered: