Bug 1262775
| Summary: | openssl: thread-local error queue | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Florian Weimer <fweimer> | ||||
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 7.1 | ||||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-01-18 15:35:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Is this really something we want to implement in RHEL? I do not think we should diverge from upstream in this regard. (In reply to Tomas Mraz from comment #2) > Is this really something we want to implement in RHEL? I do not think we > should diverge from upstream in this regard. I agree, I just wanted to capture the patch somewhere for future reference, in case there is demand for improved scalability of the ASN.1 parser (which seems to suffer most from this issue even if there are no errors to report). Indirectly, this impacts client handshaking performance in most scenarios, and server handshaking performance if client certificates are used. Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. |
Created attachment 1073174 [details] err-tls.patch The attached, slightly silly patch (on top of 1.0.1e-42) replace the OpenSSL implementation of thread-local variables with the platform implementation. It removes the “get_rn” function from profiles of multi-threaded applications and reduces lock contention. This is not quite a production-quality implementation, and it is not 100% backwards compatibility (but it is quite close). It should be enough for testing applications which see “get_rn“ in their profiles or are affected by the ERR subsystem lock contention. A full implementation would keep the old mechanism alive and just cache the results in a thread-local variable, and maybe even add a pthreads destructor to release error state on thread exit.