Loading metadata can be slow due to parsing of default certificate bundle
Concerned version
Version: 2.0.11
Platform: Centos
Summary
- Enable SAML Issuer
- Import Renater metadata:
/usr/libexec/lemonldap-ng/bin/importMetadata -m https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml
- Restart LLNG
- Access the portal
- The first few requests are very slow
Logs
LLNG spends a lot of time parsing all SP metadata because for each public key, Lasso initialized a new X509 contect, and reparses the /etc/pki/tls/cert.pem
file:
Strace:
open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=216090, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30d28a7000
read(3, "# ACCVRAIZ1\n-----BEGIN CERTIFICA"..., 4096) = 4096
...
# happens once for every loaded provider, takes about 10ms
Explanation in a GDB stack trace:
#5 0x00007f0de9935a04 in X509_load_cert_crl_file () from /lib64/libcrypto.so.10
#6 0x00007f0de9935b82 in by_file_ctrl () from /lib64/libcrypto.so.10
#7 0x00007f0de992bb20 in X509_STORE_set_default_paths () from /lib64/libcrypto.so.10
#8 0x00007f0de5f2b095 in xmlSecOpenSSLX509StoreInitialize () from /lib64/libxmlsec1-openssl.so.1
#9 0x00007f0de5cc0629 in xmlSecKeyDataStoreCreate () from /lib64/libxmlsec1.so.1
#10 0x00007f0de5f12afd in xmlSecOpenSSLKeysMngrInit () from /lib64/libxmlsec1-openssl.so.1
#11 0x00007f0de5f100f4 in xmlSecOpenSSLAppDefaultKeysMngrInit () from /lib64/libxmlsec1-openssl.so.1
#12 0x00007f0de66c1ed0 in lasso_xmlsec_load_key_info () from /lib64/liblasso.so.3
#13 0x00007f0de66e67a7 in lasso_provider_load_public_key () from /lib64/liblasso.so.3
#14 0x00007f0de66e6c25 in _lasso_provider_new_helper () from /lib64/liblasso.so.3
#15 0x00007f0de66ea450 in lasso_server_add_provider_helper () from /lib64/liblasso.so.3
Possible fixes
After reading the Lasso source code, I see no obvious way to fix this. lasso_xmlsec_load_key_info
offers no obvious way to reuse an existing key manager. But it is possible to point libcrypto to an empty certificate bundle:
In SAML.pm:
$ENV{'SSL_CERT_FILE'} = "/dev/null";
# Launch parents initialization subroutines, then launch IdP en SP lists
.... after loading metadata
$ENV{'SSL_CERT_FILE'} = $previous_value
Not very elegant, but it dramatically reduces the loading time. I will test for side effects