Thank you so much for the quick reply , Henning Westerholt. I understand the work around suggested, but i dont have the control on it.
Thank you for considering to do an improvement on parallelization wrt the problem stated. I have raised the issue https://github.com/kamailio/kamailio/issues/2312 with all the required details, i dint find a way to assign the new feature request label to it. Please do the needful. The stated problem in load_crl , is also present in other load functions as well load_cert, load_ca_list, set_cipher_list, set_verification, set_ssl_options, set_session_cache, ksr_tls_fix_domain. Regards, Mahesh.B On Sun, May 3, 2020 at 2:06 PM Henning Westerholt <[email protected]> wrote: > Hello, > > > > I noticed a similar behaviour, long startup times if you use > multi-megabyte CRL files (like the system default one). > > > > One simple workaround is to use a smaller CRL file that just includes the > necessary Cas. > > > > But the code could be probably also improved, maybe it is possible to > parallelize it. You can open a feature request about it, or even better, a > pull request. > > > > Cheers, > > > > Henning > > > > -- > > Henning Westerholt – https://skalatan.de/blog/ > > Kamailio services – https://gilawa.com > > > > *From:* sr-users <[email protected]> *On Behalf Of *mahesh > b > *Sent:* Sunday, May 3, 2020 4:30 AM > *To:* Kamailio (SER) - Users Mailing List <[email protected]> > *Subject:* [SR-Users] load_crl takes 90 seconds to complete it execution > with crl file size of 4MB !!! > > > > Hi All, > > Am using Kamailio 5.1.9 version, In my tls.cfg i have one client > and server profile, > > along with default client and server profile. > > > > I have crl enabled for the non default client and server profile , the crl > file size is 4 MB in my case. > > > > I have 22 child tcp process. > > > > With this what i observe is load_crl is taking close to 90 seconds to > finish its execution and return. > > > > It is very clear from the code, its because of this for loop. > > > > procs_no=get_max_procs(); > for(i = 0; i < procs_no; i++) { > if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) { > ERR("%s: Unable to load certificate revocation list '%s'\n", > tls_domain_str(d), d->crl_file.s); > TLS_ERR("load_crl:"); > return -1; > } > store = SSL_CTX_get_cert_store(d->ctx[i]); > X509_STORE_set_flags(store, > X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); > } > > > > > > Is there a way this can be enhanced or as per the current kamailio design > this is a must to do for each and every profile and the child process array > list. > > > > Please suggest, is it justifiable for load_crl to take 90 seconds , to > complete its execution, with one client and server profile and 22 child tcp > process and crl file size of 4MB. > > > > > > > > More info of my setup: > > ----------------------------- > > Kamailio 5.1.9 version is running on the below > > > > Linux Kernel version : 3.10.0-693.el7.x86_64 > > > Centos version : CentOS Linux release 7.4.1708 (Core) > > > CPU : 2 cores with model name : Intel(R) Core(TM) i7-6700 CPU @ > 3.40GHz > > > [root@miv5000 ~]# cat /proc/meminfo > MemTotal: 3882076 kB > MemFree: 811244 kB > MemAvailable: 2320356 kB > > > > Openssl verison : OpenSSL 1.0.2k-fips 26 Jan 2017 > > > > Regards, > > Mahesh.B >
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
