[pve-devel] applied: [PATCH http-server] fix #4802: reduce CA lookups while proxying

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jul 3 09:42:19 CEST 2023

Am 03/07/2023 um 09:18 schrieb Fabian Grünbichler:
> openssl as packaged in Debian bookworm now ships a compat symlink for the
> "combined" CA certificates file (CAfile) as managed by update-ca-certificates.
> this symlink is in addition to the CApath one that has been around for a file.
> the new symlink in turn gets picked up by openssl-using code that uses the
> default values for the trust store.
> every TLS context initialization now reads the full combined file, even if no
> TLS is actually employed on a connection. we do such an initialization for
> every proxied connection (where our HTTP server is the client).
> by specifying an explicit CA path (that is identical to the default one), the
> old behaviour of looking up each CA certificate individually iff needed is
> enabled again.
> for an API endpoint where HTTP request handling is the bottle neck (as opposed
> to the actual API handler), this improves performance of proxied requests to be
> back in line with unproxied ones handled directly by the unprivileged daemon.
> for all proxied requests, CPU usage is decreased as well.
> the default CAfile and CApath contain the same certificates, so there should be
> no change in trusted certificates. additionally, certificate fingerprints are
> pinned in this context and verified against the cache of pinned fingerprints.
> Reported-by: Roland Kletzing <roland.kletzing at cybercon.de>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> Notes:
>     CA cert access was verified using strace
>  src/PVE/APIServer/AnyEvent.pm | 1 +
>  1 file changed, 1 insertion(+)

applied, thanks!

More information about the pve-devel mailing list