An SSL-encrypting socket wrapper
8e69cc0314
Do not attempt to load and print all trusted CAs unless we need them to
invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
slow, especially if there are many. The CAdir format allows OpenSSL to
only load them on demand, avoiding this overhead.
Additionally, SSL_CTX_load_verify_locations(3) supports file formats
that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
do not support, for example certificates in the BEGIN TRUSTED
CERTIFICATE format. Valid configurations with older stunnel versions
that point to such a file would otherwise needlessly start failing.
Additionally, use SSL_load_client_CA_file(3) to load certificates from
a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
former uses a hashtable for deduplication, but the latter relies on
a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
OpenSSL, because the comparison function for X509_NAMEs converts them to
DER involving a memory allocation, which is already expensive, but even
more expensive when used with stunnel's custom allocator functions.
An upstream PR openssl/openssl#25056 will eventually fix this, but it
will take quite a while for this to arrive on users' systems, and it
will likely not be backported into older affected versions of OpenSSL or
their forks.
(cherry picked from commit
|
||
|---|---|---|
| .gitignore | ||
| Certificate-Creation | ||
| gating.yaml | ||
| pgp.asc | ||
| pop3-redirect.xinetd | ||
| sfinger.xinetd | ||
| sources | ||
| stunnel-5.50-authpriv.patch | ||
| stunnel-5.56-curves-doc-update.patch | ||
| stunnel-5.61-systemd-service.patch | ||
| stunnel-5.69-default-tls-version.patch | ||
| stunnel-5.69-system-ciphers.patch | ||
| stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch | ||
| stunnel-5.72-speed-up-loading-client-CA-list.patch | ||
| stunnel-pop3s-client.conf | ||
| stunnel-sfinger.conf | ||
| stunnel.spec | ||
| stunnel@.service | ||