An SSL-encrypting socket wrapper
a154e02ce9
Do not attempt to load and print all trusted CAs unless we need them to invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be slow, especially if there are many. The CAdir format allows OpenSSL to only load them on demand, avoiding this overhead. Additionally, SSL_CTX_load_verify_locations(3) supports file formats that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3) do not support, for example certificates in the BEGIN TRUSTED CERTIFICATE format. Valid configurations with older stunnel versions that point to such a file would otherwise needlessly start failing. Additionally, use SSL_load_client_CA_file(3) to load certificates from a file rather than SSL_add_file_cert_subjects_to_stack(3), since the former uses a hashtable for deduplication, but the latter relies on a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in OpenSSL, because the comparison function for X509_NAMEs converts them to DER involving a memory allocation, which is already expensive, but even more expensive when used with stunnel's custom allocator functions. An upstream PR openssl/openssl#25056 will eventually fix this, but it will take quite a while for this to arrive on users' systems, and it will likely not be backported into older affected versions of OpenSSL or their forks. Resolves: RHEL-52321 Resolves: RHEL-52317 Signed-off-by: Clemens Lang <cllang@redhat.com> |
||
|---|---|---|
| .gitignore | ||
| Certificate-Creation | ||
| gating.yaml | ||
| pgp.asc | ||
| pop3-redirect.xinetd | ||
| sfinger.xinetd | ||
| sources | ||
| stunnel-5.50-authpriv.patch | ||
| stunnel-5.56-curves-doc-update.patch | ||
| stunnel-5.61-systemd-service.patch | ||
| stunnel-5.69-default-tls-version.patch | ||
| stunnel-5.69-system-ciphers.patch | ||
| stunnel-5.72-speed-up-loading-client-CA-list.patch | ||
| stunnel-pop3s-client.conf | ||
| stunnel-sfinger.conf | ||
| stunnel.spec | ||
| stunnel@.service | ||