-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openssl 3 with NODE_EXTRA_CA_CERTS slows down node.js v17 startup #40524
Comments
In fact, certificate.pem can also be empty. It has the same slow down. |
@danbev do you remember any changes related to EXTRA_CA_CERTS with the update to OpenSSL 3 that might be related? |
this is in src/node.cc {
std::string extra_ca_certs;
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
} And the code in UseExtraCaCerts does not seem to be changed as part of the update to v3 - node/src/crypto/crypto_context.cc Line 1327 in 7ed303b
|
Nothing that I can think unfortunately specifically related to |
It also seems to reproduce on linux as well. For 16.x adding EXTRA_CA_CERTS does not seems to have much of an effect, where as it is noticeable in 17.x It varies a bit but these are two comparisions: Default
With NODE_EXTRA_CA_CERTS set
|
Excuse me. Correcting title. |
Additional time is in this method: node/src/crypto/crypto_context.cc Line 192 in 7ed303b
|
Difference seems to be in this part of the code: if (root_certs_vector.empty() &&
per_process::cli_options->ssl_openssl_cert_store == false) {
for (size_t i = 0; i < arraysize(root_certs); i++) {
X509* x509 =
PEM_read_bio_X509(NodeBIO::NewFixed(root_certs[i],
strlen(root_certs[i])).get(),
nullptr, // no re-use of X509 structure
NoPasswordCallback,
nullptr); // no callback data
// Parse errors from the built-in roots are fatal.
CHECK_NOT_NULL(x509);
root_certs_vector.push_back(x509);
}
} I checked 16.x and 17.x and |
The extra time seems be proportional to the number of root_certs. ie if I truncate to 1/2 the size it seems to add 1/2 the overhead. This would indicate that |
Adding |
Actually looks like those might be removed, need to look at equivalents |
It seems very old, to affect now on v17 and not in v16.
|
In fact, it's very strange that it affects only when new certificates are added througth NODE_EXTRA_CA_CERTS and not with the node default certificates. |
I created the bug report in the openssl repository to see if it is expected or not - openssl/openssl#16871. I did search for issues in the repo but could not find anything that discussed/suggested it was a known issue. |
@nassau-t I must have searched wrong as I see no the OPENSSL_NO_X509_VERIFY is not in the OpenSSL v3 release notes, I was just looking for something that might disable new validating being done. |
From what I read, It seems that "Remove ... OPENSSL_NO_X509_VERIFY" was done in the openssl log "Changes between 1.0.2h and 1.1.0 [25 Aug 2016]" |
@nassau-t that is what I was trying to say. I thought it was part of the OpenSSL release notes earlier when when I first searched, but later saw that I got that wrong. |
Ok, let's see if they say something in the openssl issue... It's very strange that even with an empty certificate.pem, it is so slow. Perhaps it checks the default node certificates before to check the new one's (I don't know how it works). |
@nassau-t it sounds like this is a known issue on OpenSSL v3 from the comment on the issue I opened. For your use case are the extra certificates used every time you run Node.js or just in some subset of the cases. I'm not sure if its even possible but wondering if a lazy loading scheme would add any value? |
@mhdawson Well, I think I must go forward with node v17.x and 100 or 150 ms more are not critical in my case (in fact I have measured again (perhaps timethis is not very exact on windows) and now I get 62 ms more, so in my case is a 57% more startup time. In node v16 it's practically the same with or without added certificates). |
@nassau-t The reason why the slowdown is noticeable only when Either way, the performance penalty is likely the same - just in a different location. |
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the bundled root certificates will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is ommitted. Fixes: nodejs#32010 Refs: nodejs#40524
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues nodejs#20432, nodejs#20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: nodejs#32010 Refs: nodejs#40524 Refs: nodejs#23354
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called, rather than losing them when unrelated options are provided. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues #20432, #20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: #32010 Refs: #40524 Refs: #23354 PR-URL: #44529 Reviewed-By: Tim Perry <pimterry@gmail.com>
Store loaded NODE_EXTRA_CA_CERTS into root_certs_vector, allowing them to be added to secure contexts when NewRootCertStore() is called, rather than losing them when unrelated options are provided. When NODE_EXTRA_CA_CERTS is specified, the root certificates (both bundled and extra) will no longer be preloaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS consistent with the default behavior when NODE_EXTRA_CA_CERTS is omitted. The original reason NODE_EXTRA_CA_CERTS were loaded at startup (issues #20432, #20434) was to prevent the environment variable from being changed at runtime. This change preserves the runtime consistency without actually having to load the certs at startup. Fixes: #32010 Refs: #40524 Refs: #23354 PR-URL: #44529 Reviewed-By: Tim Perry <pimterry@gmail.com>
Version
v17.0.0
Platform
Microsoft Windows NT 10.0.19042.0 x64
Subsystem
openssl 3
What steps will reproduce the bug?
Create an empty file a.js
Have a certificate.pem file with 1 certificate.
How often does it reproduce? Is there a required condition?
You must set a value for NODE_EXTRA_CA_CERTS
What is the expected behavior?
What do you see instead?
It seems that openssl 3 slows down node.js startup.
With this empty script is 86% slower than node.js v16. With a big script, it is around 46% slower.
I don't know if this is expected, so this is a normal beaviour of openssl 3... It's strange that it only happens with EXTRA_CA_CERTS.
Additional information
No response
The text was updated successfully, but these errors were encountered: