Am using Kamailio 5.1.9 version, In my tls.cfg i have one client and server profile,
along with default client and server profile.
I have crl enabled for the non default client and server profile , the crl file size is 4 MB in my case.
I have 22 child tcp process.
With this what i observe is load_crl is taking close to 90 seconds to finish its execution and return.
load_Crl function should not take 90 seconds to complete its execution.
probably it should take in the range of 10-15 seconds to complete its execution or even lesser.
load_Crl function is taking 90 seconds to complete its execution.
It is very clear from the code, its because of this for loop.
time taken to complete load_Crl execution is 90 seconds
procs_no=get_max_procs();
for(i = 0; i < procs_no; i++) {
if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
ERR("%s: Unable to load certificate revocation list '%s'\n",
tls_domain_str(d), d->crl_file.s);
TLS_ERR("load_crl:");
return -1;
}
store = SSL_CTX_get_cert_store(d->ctx[i]);
X509_STORE_set_flags(store,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
Is there a way this can be enhanced or as per the current kamailio design this is a must to do for each and every profile and its ssl context array list for each process and for every profile.
The same logic is seen in other load functions as well, for example load_cert,
load_ca_list,
load_crl,
set_cipher_list,
set_verification,
set_ssl_options,
set_session_cache,
ksr_tls_fix_domain,
(paste your log messages here)
(paste your sip traffic here)
Reply from Henning Westerholt on posting this problem to Users Mailing list
"But the code could be probably also improved, maybe it is possible to parallelize it. You can open a feature request about it,"
Kamailio 5.1.9 version
Linux Kernel version : 3.10.0-693.el7.x86_64
Centos version : CentOS Linux release 7.4.1708 (Core)
CPU : 2 cores with model name : Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
[root@miv5000 ~]# cat /proc/meminfo
MemTotal: 3882076 kB
MemFree: 811244 kB
MemAvailable: 2320356 kB
Openssl verison : OpenSSL 1.0.2k-fips 26 Jan 2017
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.