subject:"\[Touch\-packages\] \[Bug 2033422\] Re\: openssl\: backport to jammy \"clear method store \/ query cache confusion\""

[Touch-packages] [Bug 2033422] Re: openssl: backport to jammy "clear method store / query cache confusion"

2024-01-25 Thread Launchpad Bug Tracker

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.13

---
openssl (3.0.2-0ubuntu1.13) jammy; urgency=medium

  * Fix (upstream): crash when using an engine for ciphers used by DRBG
(LP: #2023545)
- lp2023545/0001-Release-the-drbg-in-the-global-default-context-befor.patch
  * Fix (upstream): do not ignore return values for S/MIME signature
(LP: #1994165)
- lp1994165/0001-REGRESSION-CMS_final-do-not-ignore-CMS_dataFinal-res.patch
  * Perf (upstream): don't empty method stores and provider synchronization
records when flushing the query cache (LP: #2033422)
- lp2033422/0001-Drop-ossl_provider_clear_all_operation_bits-and-all-.patch
- lp2033422/0002-Refactor-method-construction-pre-and-post-condition.patch
- lp2033422/0003-Don-t-empty-the-method-store-when-flushing-the-query.patch
- lp2033422/0004-Make-it-possible-to-remove-methods-by-the-provider-t.patch
- lp2033422/0005-Complete-the-cleanup-of-an-algorithm-in-OSSL_METHOD_.patch
- lp2033422/0006-For-child-libctx-provider-don-t-count-self-reference.patch
- lp2033422/0007-Add-method-store-cache-flush-and-method-removal-to-n.patch

 -- Adrien Nader   Tue, 09 Jan 2024 11:42:50
+0100

** Changed in: openssl (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2033422

Title:
  openssl: backport to jammy "clear method store / query cache
  confusion"

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Jammy:
  Fix Released
Status in openssl source package in Lunar:
  Fix Released

Bug description:
  === SRU information ===
  [ATTENTION]
  This SRU contains THREE changes which are listed in the section below.

  [Meta]
  This bug is part of a series of three bugs for a single SRU.
  This ( #2033422 ) is the "central" bug with the global information and 
debdiff.

  This SRU addresses three issues with Jammy's openssl version:
  - http://pad.lv/1994165: ignored SMIME signature errors
  - http://pad.lv/2023545: imbca engine dumps core
  - http://pad.lv/2033422: very high CPU usage for concurrent TLS connections 
(this one)

  The SRU information has been added to the three bug reports and I am
  attaching the debdiff here only for all three.

  All the patches have been included in subsequent openssl 3.0.x
  releases which in turn have been included in subsequent Ubuntu
  releases. There has been no report of issues when updating to these
  Ubuntu releases.

  I have rebuilt the openssl versions and used abi-compliance-checker to
  compare the ABIs of the libraries in jammy and the one for the SRU.
  Both matched completely (FYI, mantic's matched completely too).

  I have also pushed the code to git (without any attempt to make it
  git-ubuntu friendly).

  
https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+ref/jammy-
  sru

  I asked Brian Murray about phasing speed and he concurs a slow roll-out is 
probably better for openssl. There is a small uncertainty because a security 
update could come before the phasing is over, effectively fast-forwarding the 
SRU. Still, unless there is already a current pre-advisory, this is probably 
better than a 10% phasing which is over after only a couple days anyway.
  NB: at the moment openssl doesn't phase slowly so this needs to be 
implemented.

  [Impact]
  Severely degraded performance for concurrent operations compared to openssl 
1.1. The performance is so degraded that some workloads fail due to timeouts or 
insufficient resources (noone magically has 5 times more machines). As a 
consequence, a number of people use openssl 1.1 instead and do not get security 
updates.

  [Test plan]
  Rafael Lopez has shared a simple benchmarks in http://pad.lv/2009544 with 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+attachment/5690224/+files/main.py
 .

  To test, follow these steps:
  - run "time python3 main.py" # using the aforementioned main.py script
  - apt install -t jammy-proposed libssl3
  - run "time python3 main.py"
  - compare the runtimes for the two main.py runs

  You can run this on x86_64, Raspberry Pi 4 or any machine, and get a
  very large speed-up in all cases. The improvements are not
  architecture-dependant.

  Using this changeset, I get the following numbers for ten runs on my
  laptop:

  3.0.2:
  real  2m5.567s
  user  4m3.948s
  sys   2m0.233s

  this SRU:
  real  0m23.966s
  user  2m35.687s
  sys   0m1.920s

  As can be easily seen, the speed-up is massive: system time is divided
  by 60 and overall wall clock time is roughly five times lower.

  In http://pad.lv/2009544 , Rafael also shared his performance numbers
  and they are relatable to these. He used slightly different versions
  (upstreams rather than patched with cherry-picks) but at least one of
  the

[Touch-packages] [Bug 2033422] Re: openssl: backport to jammy "clear method store / query cache confusion"

2024-01-24 Thread Adrien Nader

Thanks a lot for the verification Simon!

I looked at the test results and I believe failed tests are all fine:

- diffoscope: pyhon "ModuleNotFoundError: No module named 'tests.utils'"
- dotnet*: complains that this dotnet is not tested for 24.04 (yes, 24.04); 
this system of keeping a matrix of host/targets compatibility is being removed 
upstream due to being impossible to maintain (confirmed by Dominik)
- ganeti: same failure as with the iptables SRU
- linux-*: timed out building the kernel
- ruby3.0: expired certificates in testsuite

For the following packages, I re-tried the tests and they succeeded:

- puma: retried twice and passed; at least one occurrence of the same failure
- python-bonsai: retried; passing now; there have been various errors in this 
package that disappear on re-try
- seqkit: retried; and passing I guess since it disappeared; there's a (long) 
history of this test failing
- systemd: retried; timeouts which don't really seem to be related to openssl, 
or at least I couldn't spot an error, same issues can be seen in several other 
logs

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2033422

Title:
  openssl: backport to jammy "clear method store / query cache
  confusion"

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Jammy:
  Fix Committed
Status in openssl source package in Lunar:
  Fix Released

Bug description:
  === SRU information ===
  [ATTENTION]
  This SRU contains THREE changes which are listed in the section below.

  [Meta]
  This bug is part of a series of three bugs for a single SRU.
  This ( #2033422 ) is the "central" bug with the global information and 
debdiff.

  This SRU addresses three issues with Jammy's openssl version:
  - http://pad.lv/1994165: ignored SMIME signature errors
  - http://pad.lv/2023545: imbca engine dumps core
  - http://pad.lv/2033422: very high CPU usage for concurrent TLS connections 
(this one)

  The SRU information has been added to the three bug reports and I am
  attaching the debdiff here only for all three.

  All the patches have been included in subsequent openssl 3.0.x
  releases which in turn have been included in subsequent Ubuntu
  releases. There has been no report of issues when updating to these
  Ubuntu releases.

  I have rebuilt the openssl versions and used abi-compliance-checker to
  compare the ABIs of the libraries in jammy and the one for the SRU.
  Both matched completely (FYI, mantic's matched completely too).

  I have also pushed the code to git (without any attempt to make it
  git-ubuntu friendly).

  
https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+ref/jammy-
  sru

  I asked Brian Murray about phasing speed and he concurs a slow roll-out is 
probably better for openssl. There is a small uncertainty because a security 
update could come before the phasing is over, effectively fast-forwarding the 
SRU. Still, unless there is already a current pre-advisory, this is probably 
better than a 10% phasing which is over after only a couple days anyway.
  NB: at the moment openssl doesn't phase slowly so this needs to be 
implemented.

  [Impact]
  Severely degraded performance for concurrent operations compared to openssl 
1.1. The performance is so degraded that some workloads fail due to timeouts or 
insufficient resources (noone magically has 5 times more machines). As a 
consequence, a number of people use openssl 1.1 instead and do not get security 
updates.

  [Test plan]
  Rafael Lopez has shared a simple benchmarks in http://pad.lv/2009544 with 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+attachment/5690224/+files/main.py
 .

  To test, follow these steps:
  - run "time python3 main.py" # using the aforementioned main.py script
  - apt install -t jammy-proposed libssl3
  - run "time python3 main.py"
  - compare the runtimes for the two main.py runs

  You can run this on x86_64, Raspberry Pi 4 or any machine, and get a
  very large speed-up in all cases. The improvements are not
  architecture-dependant.

  Using this changeset, I get the following numbers for ten runs on my
  laptop:

  3.0.2:
  real  2m5.567s
  user  4m3.948s
  sys   2m0.233s

  this SRU:
  real  0m23.966s
  user  2m35.687s
  sys   0m1.920s

  As can be easily seen, the speed-up is massive: system time is divided
  by 60 and overall wall clock time is roughly five times lower.

  In http://pad.lv/2009544 , Rafael also shared his performance numbers
  and they are relatable to these. He used slightly different versions
  (upstreams rather than patched with cherry-picks) but at least one of
  the version used does not include other performance change. He also
  used different hardware and this performance issue seems to depend on
  the number of CPUs available but also obtained a performance several
  times better.

[Touch-packages] [Bug 2033422] Re: openssl: backport to jammy "clear method store / query cache confusion"

2024-01-20 Thread Simon Déziel

Using a fast HTTPS server (same LAN as client), the `main.py` tests goes
from ~8s to ~2.5s:

# time python3 /tmp/main.py
Distro: Ubuntu 22.04.3 LTS
Python Version: 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
OpenSSL Version: OpenSSL 3.0.2 15 Mar 2022
0 1 2 3 ... 99
real0m8.163s
user0m16.041s
sys 0m3.474s

# apt-get install -t jammy-proposed libssl3
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
libssl3
1 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
Need to get 1,902 kB of archives.
After this operation, 1,024 B of additional disk space will be used.

Upgrading the server side (NGINX) didn't make a measurable difference.

** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2033422

Title:
openssl: backport to jammy "clear method store / query cache
confusion"

Status in openssl package in Ubuntu:
New
Status in openssl source package in Jammy:
Fix Committed
Status in openssl source package in Lunar:
Fix Released

Bug description:
=== SRU information ===
[ATTENTION]
This SRU contains THREE changes which are listed in the section below.

[Meta]
This bug is part of a series of three bugs for a single SRU.
This ( #2033422 ) is the "central" bug with the global information and
debdiff.

This SRU addresses three issues with Jammy's openssl version:
- http://pad.lv/1994165: ignored SMIME signature errors
- http://pad.lv/2023545: imbca engine dumps core
- http://pad.lv/2033422: very high CPU usage for concurrent TLS connections
(this one)

The SRU information has been added to the three bug reports and I am
attaching the debdiff here only for all three.

All the patches have been included in subsequent openssl 3.0.x
releases which in turn have been included in subsequent Ubuntu
releases. There has been no report of issues when updating to these
Ubuntu releases.

I have rebuilt the openssl versions and used abi-compliance-checker to
compare the ABIs of the libraries in jammy and the one for the SRU.
Both matched completely (FYI, mantic's matched completely too).

I have also pushed the code to git (without any attempt to make it
git-ubuntu friendly).

https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+ref/jammy-
sru

I asked Brian Murray about phasing speed and he concurs a slow roll-out is
probably better for openssl. There is a small uncertainty because a security
update could come before the phasing is over, effectively fast-forwarding the
SRU. Still, unless there is already a current pre-advisory, this is probably
better than a 10% phasing which is over after only a couple days anyway.
NB: at the moment openssl doesn't phase slowly so this needs to be
implemented.

[Impact]
Severely degraded performance for concurrent operations compared to openssl
1.1. The performance is so degraded that some workloads fail due to timeouts or
insufficient resources (noone magically has 5 times more machines). As a
consequence, a number of people use openssl 1.1 instead and do not get security
updates.

[Test plan]
Rafael Lopez has shared a simple benchmarks in http://pad.lv/2009544 with
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+attachment/5690224/+files/main.py
.

To test, follow these steps:
- run "time python3 main.py" # using the aforementioned main.py script
- apt install -t jammy-proposed libssl3
- run "time python3 main.py"
- compare the runtimes for the two main.py runs

You can run this on x86_64, Raspberry Pi 4 or any machine, and get a
very large speed-up in all cases. The improvements are not
architecture-dependant.

Using this changeset, I get the following numbers for ten runs on my
laptop:

3.0.2:
real 2m5.567s
user 4m3.948s
sys 2m0.233s

this SRU:
real 0m23.966s
user 2m35.687s
sys 0m1.920s

As can be easily seen, the speed-up is massive: system time is divided
by 60 and overall wall clock time is roughly five times lower.

[Touch-packages] [Bug 2033422] Re: openssl: backport to jammy "clear method store / query cache confusion"

2024-01-19 Thread Steve Langasek

Hello Adrien, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.13 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: openssl (Ubuntu Jammy)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2033422

Title:
  openssl: backport to jammy "clear method store / query cache
  confusion"

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Jammy:
  Fix Committed
Status in openssl source package in Lunar:
  Fix Released

Bug description:
  === SRU information ===
  [ATTENTION]
  This SRU contains THREE changes which are listed in the section below.

  [Meta]
  This bug is part of a series of three bugs for a single SRU.
  This ( #2033422 ) is the "central" bug with the global information and 
debdiff.

  This SRU addresses three issues with Jammy's openssl version:
  - http://pad.lv/1994165: ignored SMIME signature errors
  - http://pad.lv/2023545: imbca engine dumps core
  - http://pad.lv/2033422: very high CPU usage for concurrent TLS connections 
(this one)

  The SRU information has been added to the three bug reports and I am
  attaching the debdiff here only for all three.

  All the patches have been included in subsequent openssl 3.0.x
  releases which in turn have been included in subsequent Ubuntu
  releases. There has been no report of issues when updating to these
  Ubuntu releases.

  I have rebuilt the openssl versions and used abi-compliance-checker to
  compare the ABIs of the libraries in jammy and the one for the SRU.
  Both matched completely (FYI, mantic's matched completely too).

  I have also pushed the code to git (without any attempt to make it
  git-ubuntu friendly).

  
https://code.launchpad.net/~adrien-n/ubuntu/+source/openssl/+git/openssl/+ref/jammy-
  sru

  I asked Brian Murray about phasing speed and he concurs a slow roll-out is 
probably better for openssl. There is a small uncertainty because a security 
update could come before the phasing is over, effectively fast-forwarding the 
SRU. Still, unless there is already a current pre-advisory, this is probably 
better than a 10% phasing which is over after only a couple days anyway.
  NB: at the moment openssl doesn't phase slowly so this needs to be 
implemented.

  [Impact]
  Severely degraded performance for concurrent operations compared to openssl 
1.1. The performance is so degraded that some workloads fail due to timeouts or 
insufficient resources (noone magically has 5 times more machines). As a 
consequence, a number of people use openssl 1.1 instead and do not get security 
updates.

  [Test plan]
  Rafael Lopez has shared a simple benchmarks in http://pad.lv/2009544 with 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+attachment/5690224/+files/main.py
 .

  To test, follow these steps:
  - run "time python3 main.py" # using the aforementioned main.py script
  - apt install -t jammy-proposed libssl3
  - run "time python3 main.py"
  - compare the runtimes for the two main.py runs

  You can run this on x86_64, Raspberry Pi 4 or any machine, and get a
  very large speed-up in all cases. The improvements are not
  architecture-dependant.

  Using this changeset, I get the following numbers for ten runs on my
  laptop:

  3.0.2:
  real  2m5.567s
  user  4m3.948s
  sys   2m0.233s

  this SRU:
  real  0m23.966s
  user  2m35.687s
  sys   0m1.920s

  As can be easily seen, the speed-up is massive: system time is divided
  by 60 and overall wall clock time is roughly five times lower.

  In http://pad.lv/2009544 , Rafael also shared his performance numbers
  and they are relatable to these. He used

[Touch-packages] [Bug 2033422] Re: openssl: backport to jammy "clear method store / query cache confusion"

2024-01-11 Thread Adrien Nader

Thanks for the review and upload.

I have a similar take on the patches in this series and I believe it
would be very difficult and riskier to try to skip some of the patches
in this series which has seen real-world use as a whole, starting with
openssl >= 3.0.4 (which we started shipping in lunar).

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2033422

Title:
openssl: backport to jammy "clear method store / query cache
confusion"

Status in openssl package in Ubuntu:
New
Status in openssl source package in Jammy:
In Progress
Status in openssl source package in Lunar:
Fix Released