Public bug reported: curl-7.47.0-1ubuntu2.2 spent lots of time reading CA certs before sending "client hello"; on the other hand, curl 7.22.0 didn't spend time reading CA certs before a "client hello" and after "server hello" was received and it only read few CA certs. This made significant difference in term of response time between 7.22.0 and 7.47.0.
$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============================================-============================-============================-================================================================================================= ii curl 7.47.0-1ubuntu2.2 amd64 command line tool for transferring data with URL syntax $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.009 time_pretransfer: 0.009 time_redirect: 0.000 time_starttransfer: 0.011 ---------- time_total: 0.011 $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============================================-==============================================-============================================================================================================ ii curl 7.22.0-3ubuntu4.17 Get a file from an HTTP, HTTPS or FTP server $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.256 time_pretransfer: 0.256 time_redirect: 0.000 time_starttransfer: 0.257 ---------- time_total: 0.257 The problem was that when cul-7.47.0 compiled with gnutls and with --with-ca-path=/etc/ssl/certs, it would read all certificates from the path before sending client hello; on the other hand, when it's compiled libssl and it's fine. I checked the build option for 7.22.0-3ubuntu4.17, only --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt was used. curl built with gnutls with --with-ca-bundle and without --with-ca-path was still slower than the built with libssl. What needs to be done to build 7.47.0 with similar response time for https as 7.22.0? ** Affects: curl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1768112 Title: 7.47.0-1ubuntu2.2 is much slower than 7.22.0-3ubuntu4.17 for https To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1768112/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs