> On 27 Sep 2021, at 11:24 am, Jay Foster <jayf0ster@xxxxxxxxxxxxxx> wrote:
>
> I don't think so. The file system is a UBIFS on nand flash, and it works with 1.0.2 and 1.1.1. Even 1.1.1 is a *little* bit slower than 1.0.2, but nowhere near as much slower as 3.0.0.
>
> It looks like the OpenSSL library is reading the cert.pem file in 4KB blocks at a time and doing some processing on the data read. It appears that this processing is what is taking longer.
OpenSSL 3.0.0 has a new OSSL_DECODER API, it may still need some
performance tuning? For example, in Postfix + OpenSSL 3.0.0 I'm
decoding the compiled-in DER DH group via:
+static void load_builtin(void)
+{
+ EVP_PKEY *tmp = 0;
+ OSSL_DECODER_CTX *d;
+ const unsigned char *endp = builtin_der;
+ size_t dlen = sizeof(builtin_der);
+
+ d = OSSL_DECODER_CTX_new_for_pkey(&tmp, "DER", NULL, "DH",
+ OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
+ NULL, NULL);
+ /* Check decode succeeds and consumes all data (final dlen == 0) */
+ if (d && OSSL_DECODER_from_data(d, &endp, &dlen) && tmp && !dlen) {
+ dhp = tmp;
+ } else {
+ EVP_PKEY_free(tmp);
+ msg_warn("error loading compiled-in DH parameters");
+ tls_print_errors();
+ }
+ OSSL_DECODER_CTX_free(d);
+}
IIRC the loading of certificates now uses this API. There was perhaps
also some work on new X509_STORE infrastructure. Performance issues in
the new code are not implausible, and I hope can be addressed in upcoming
releases.
--
Viktor.
