From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Roland Kletzing <roland.kletzing@cybercon.de>
Subject: [pve-devel] applied: [PATCH http-server] fix #4802: reduce CA lookups while proxying
Date: Mon, 3 Jul 2023 09:42:19 +0200 [thread overview]
Message-ID: <164e2d8f-3953-6c42-530f-818157be0855@proxmox.com> (raw)
In-Reply-To: <20230703071851.162066-1-f.gruenbichler@proxmox.com>
Am 03/07/2023 um 09:18 schrieb Fabian Grünbichler:
> openssl as packaged in Debian bookworm now ships a compat symlink for the
> "combined" CA certificates file (CAfile) as managed by update-ca-certificates.
> this symlink is in addition to the CApath one that has been around for a file.
> the new symlink in turn gets picked up by openssl-using code that uses the
> default values for the trust store.
>
> every TLS context initialization now reads the full combined file, even if no
> TLS is actually employed on a connection. we do such an initialization for
> every proxied connection (where our HTTP server is the client).
>
> by specifying an explicit CA path (that is identical to the default one), the
> old behaviour of looking up each CA certificate individually iff needed is
> enabled again.
>
> for an API endpoint where HTTP request handling is the bottle neck (as opposed
> to the actual API handler), this improves performance of proxied requests to be
> back in line with unproxied ones handled directly by the unprivileged daemon.
> for all proxied requests, CPU usage is decreased as well.
>
> the default CAfile and CApath contain the same certificates, so there should be
> no change in trusted certificates. additionally, certificate fingerprints are
> pinned in this context and verified against the cache of pinned fingerprints.
>
> Reported-by: Roland Kletzing <roland.kletzing@cybercon.de>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>
> Notes:
> CA cert access was verified using strace
>
> src/PVE/APIServer/AnyEvent.pm | 1 +
> 1 file changed, 1 insertion(+)
>
>
applied, thanks!
prev parent reply other threads:[~2023-07-03 7:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-03 7:18 [pve-devel] " Fabian Grünbichler
2023-07-03 7:42 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=164e2d8f-3953-6c42-530f-818157be0855@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=roland.kletzing@cybercon.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox