Public bug reported: curl-7.47.0-1ubuntu2.2 spent lots of time reading CA certs before sending "client hello"; on the other hand, curl 7.22.0 didn't spend time reading CA certs before a "client hello" and after "server hello" was received and it only read few CA certs. This made significant difference in term of response time between 7.22.0 and 7.47.0.
$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============================================-============================-============================-================================================================================================= ii curl 7.47.0-1ubuntu2.2 amd64 command line tool for transferring data with URL syntax $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.009 time_pretransfer: 0.009 time_redirect: 0.000 time_starttransfer: 0.011 ---------- time_total: 0.011 $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============================================-==============================================-============================================================================================================ ii curl 7.22.0-3ubuntu4.17 Get a file from an HTTP, HTTPS or FTP server $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.256 time_pretransfer: 0.256 time_redirect: 0.000 time_starttransfer: 0.257 ---------- time_total: 0.257 The problem was that when cul-7.47.0 compiled with gnutls and with --with-ca-path=/etc/ssl/certs, it would read all certificates from the path before sending client hello; on the other hand, when it's compiled libssl and it's fine. I checked the build option for 7.22.0-3ubuntu4.17, only --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt was used. curl built with gnutls with --with-ca-bundle and without --with-ca-path was still slower than the built with libssl. What needs to be done to build 7.47.0 with similar response time for https as 7.22.0? ** Affects: curl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1768112 Title: 7.47.0-1ubuntu2.2 is much slower than 7.22.0-3ubuntu4.17 for https Status in curl package in Ubuntu: New Bug description: curl-7.47.0-1ubuntu2.2 spent lots of time reading CA certs before sending "client hello"; on the other hand, curl 7.22.0 didn't spend time reading CA certs before a "client hello" and after "server hello" was received and it only read few CA certs. This made significant difference in term of response time between 7.22.0 and 7.47.0. $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============================================-============================-============================-================================================================================================= ii curl 7.47.0-1ubuntu2.2 amd64 command line tool for transferring data with URL syntax $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.009 time_pretransfer: 0.009 time_redirect: 0.000 time_starttransfer: 0.011 ---------- time_total: 0.011 $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" $ dpkg -l curl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============================================-==============================================-============================================================================================================ ii curl 7.22.0-3ubuntu4.17 Get a file from an HTTP, HTTPS or FTP server $ curl -w "@curl-format.txt" https://170.199.194.0:4443/@p1/heartbeat/ -k -s -o /dev/null time_namelookup: 0.000 time_connect: 0.001 time_appconnect: 0.256 time_pretransfer: 0.256 time_redirect: 0.000 time_starttransfer: 0.257 ---------- time_total: 0.257 The problem was that when cul-7.47.0 compiled with gnutls and with --with-ca-path=/etc/ssl/certs, it would read all certificates from the path before sending client hello; on the other hand, when it's compiled libssl and it's fine. I checked the build option for 7.22.0-3ubuntu4.17, only --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt was used. curl built with gnutls with --with-ca-bundle and without --with-ca- path was still slower than the built with libssl. What needs to be done to build 7.47.0 with similar response time for https as 7.22.0? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1768112/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp