curl / Mailing Lists / curl-library / Single Mail

curl-library

OpenSSL verify locations set despite VERIFYPEER=0

From: Patrick Schlangen <patrick_at_schlangen.me>
Date: Sun, 4 Feb 2018 00:27:52 +0100

Hi,

in my libcurl based application with 4096+ parallel connections, I have
discovered that *lots* of time is spent in OpenSSL routines to read
certificate files even though I set SSL_VERIFYPEER to 0. Actually it turns
out that this seems to be the bottleneck of the whole setup.

After poking around in the code, I found this part in lib/vtls/openssl.c
around line 2340:

> if(ssl_cafile || ssl_capath) {
> /* tell SSL where to find CA certificates that are used to verify
> the servers certificate. */
> if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile,
ssl_capath)) {
> if(verifypeer) {

Here, SSL_CTX_load_verify_locations is called even if verifypeer is false,
provided that either CAPATH or CAINFO are set. I do not set any of those,
but CAINFO, on my system, defaults to /etc/ssl/certs/ca-certificates.crt. On
my system the file is around 230 KB, explaining why so much time is spent
parsing it (apparently for every new connection!).

As a workaround, I now set CAINFO to NULL and observed a significant load
reduction (average download time went from 20 seconds to just 4 seconds). I
am using a libev based approach using curl's multi API where I am adding new
connections when certain events occur, and loading these certificates file
seemed to slow down the whole event loop processing.

Maybe it would make sense to generally set the verify locations only if
verifypeer is true, if it does not have any side effects? What do you think?

Best Regards,

Patrick

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-04