Speed up loading client CA list

Do not attempt to load and print all trusted CAs unless we need them to invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be slow, especially if there are many. The CAdir format allows OpenSSL to only load them on demand, avoiding this overhead. Additionally, SSL_CTX_load_verify_locations(3) supports file formats that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3) do not support, for example certificates in the BEGIN TRUSTED CERTIFICATE format. Valid configurations with older stunnel versions that point to such a file would otherwise needlessly start failing. Additionally, use SSL_load_client_CA_file(3) to load certificates from a file rather than SSL_add_file_cert_subjects_to_stack(3), since the former uses a hashtable for deduplication, but the latter relies on a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in OpenSSL, because the comparison function for X509_NAMEs converts them to DER involving a memory allocation, which is already expensive, but even more expensive when used with stunnel's custom allocator functions. An upstream PR openssl/openssl#25056 will eventually fix this, but it will take quite a while for this to arrive on users' systems, and it will likely not be backported into older affected versions of OpenSSL or their forks. Resolves: RHEL-52321 Resolves: RHEL-52317 Signed-off-by: Clemens Lang <cllang@redhat.com>
2024-08-01 14:36:43 +02:00 · 2024-08-01 14:36:43 +02:00 · a154e02ce9
commit a154e02ce9
parent 6c91664a3d
2 changed files with 116 additions and 1 deletions
--- a/stunnel-5.72-speed-up-loading-client-CA-list.patch
+++ b/stunnel-5.72-speed-up-loading-client-CA-list.patch
@ -0,0 +1,107 @@
 From 5f0b818f62720d5bd8b8c9c631604ddb4c992be7 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Wed, 31 Jul 2024 15:35:24 +0200
 Subject: [PATCH] src/verify.c: Speed up loading client CA list
 Do not attempt to load and print all trusted CAs unless we need them to
 invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
 slow, especially if there are many. The CAdir format allows OpenSSL to
 only load them on demand, avoiding this overhead.
 Additionally, SSL_CTX_load_verify_locations(3) supports file formats
 that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
 do not support, for example certificates in the BEGIN TRUSTED
 CERTIFICATE format. Valid configurations with older stunnel versions
 that point to such a file would otherwise needlessly start failing.
 Additionally, use SSL_load_client_CA_file(3) to load certificates from
 a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
 former uses a hashtable for deduplication, but the latter relies on
 a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
 OpenSSL, because the comparison function for X509_NAMEs converts them to
 DER involving a memory allocation, which is already expensive, but even
 more expensive when used with stunnel's custom allocator functions.
 An upstream PR openssl/openssl#25056 will eventually fix this, but it
 will take quite a while for this to arrive on users' systems, and it
 will likely not be backported into older affected versions of OpenSSL or
 their forks.
 Related: RHEL-50154
 Related: RHEL-46411
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 src/verify.c | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)
 diff --git a/src/verify.c b/src/verify.c
 index 56ab130..d1d3849 100644
 --- a/src/verify.c
 +++ b/src/verify.c
@@ -95,10 +95,35 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
         if(!SSL_CTX_load_verify_locations(section->ctx,
                 section->ca_file, section->ca_dir)) {
             sslerror("SSL_CTX_load_verify_locations");
 +            return 1; /* FAILED */
         }
     }
 -    ca_dn=sk_X509_NAME_new_null();
 +    /* Do not attempt to load and print all trusted CAs unless we need them to
 +       invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
 +       slow, especially if there are many. The CAdir format allows OpenSSL to
 +       only load them on demand.
 +       Additionally, SSL_CTX_load_verify_locations(3) supports file formats
 +       that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
 +       do not support, for example certificates in the BEGIN TRUSTED
 +       CERTIFICATE format. Valid configurations with older stunnel versions
 +       that point to such a file would otherwise needlessly start failing. */
 +    if(section->option.client)
 +        return 0; /* OK */
 +
 +    if(section->ca_file)
 +        /* SSL_load_client_CA_file is a lot faster than
 +           SSL_add_file_cert_subjects_to_stack(). Use it for ca_file if
 +           specified, then add the rest of the certificates to this stack. */
 +        ca_dn=SSL_load_client_CA_file(section->ca_file);
 +
 +    if (!ca_dn)
 +        /* ca_file not set, or SSL_load_client_CA_file(3) failed. */
 +        ca_dn=sk_X509_NAME_new_null();
 +
 +    /* client CA list initialization from directory */
 +    if(section->ca_dir)
 +        SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
 #ifndef OPENSSL_NO_ENGINE
     /* CA and client CA list initialization with the engine */
@@ -115,24 +140,13 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
     }
 #endif
 -    /* client CA list initialization with the file and/or directory */
 -    if(section->ca_file)
 -        SSL_add_file_cert_subjects_to_stack(ca_dn, section->ca_file);
 -    if(section->ca_dir)
 -        SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
 -
     if(!sk_X509_NAME_num(ca_dn)) {
         sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
         return 1; /* FAILED */
     }
 -    if(section->option.client) {
 -        print_CA_list("Configured trusted server CA", ca_dn);
 -        sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
 -    } else { /* only set the client CA list on the server */
 -        print_CA_list("Configured trusted client CA", ca_dn);
 -        SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
 -    }
 +    print_CA_list("Configured trusted client CA", ca_dn);
 +    SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
     return 0; /* OK */
 }
 -- 
 2.45.2
--- a/stunnel.spec
+++ b/stunnel.spec
@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.71
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -30,6 +30,7 @@ Patch1: stunnel-5.61-systemd-service.patch
 Patch3: stunnel-5.69-system-ciphers.patch
 Patch5: stunnel-5.69-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
 Patch7: stunnel-5.72-speed-up-loading-client-CA-list.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@ -61,6 +62,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch3 -p1 -b .system-ciphers
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
 %patch7 -p1 -b .speed-up-loading-client-CA-list
 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -139,6 +141,12 @@ fi
 %systemd_postun_with_restart %{name}.service
 %changelog
 * Thu Aug 01 2024 Clemens Lang <cllang@redhat.com> - 5.71-2
 - Speed up loading client CA list from CAfile
  Resolves: RHEL-52321
 - Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format
  Resolves: RHEL-52317
 * Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
 - New upstream release 5.71
  Resolves: RHEL-2468