Bug 2082785

Summary: dovecot is unusable when having a large CA cert file
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: NEW --- QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.5CC: sbroz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-05-07 07:48:06 UTC 
Description of problem:

When specifying a large CA cert file in the configuration (86MB containing a large CRL), dovecot becomes unusable due to following reasons:
1. Every time a user logs in (on POP3 or IMAP port), CPU spins for 3 seconds or more
2. Each imap-login or pop3-login process takes 1GB of memory

Both issues are related to having openssl library load the large cert file in memory and manipulate it into private objects, which seems CPU and memory consuming.

Note that compared to RHEL7 dovecot/openssl, it's better (it was taking 2GB of memory), but it's still not acceptable.

Version-Release number of selected component (if applicable):

dovecot-2.3.8-9.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Setup pop and/or imap protocols + large CA cert

Below are the new lines compared to defaults.

/etc/dovecot/dovecot.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
protocols = pop3 imap
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-master.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
default_vsz_limit = 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-ssl.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ssl_ca = </etc/pki/dovecot/certs/crl-ca.cer
ssl_require_crl = yes
ssl_verify_client_cert = yes
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Copy large CA to /etc/pki/dovecot/certs/crl-ca.cer

3. Start dovecot

4. Use telnet to connect to POP3 (port 995) or IMAP (port 993)

$ telnet localhost 995

Actual results:

CPU spinning for 3 seconds then 1GB memory taken.

Expected results:

No CPU spinning and acceptable memory consumption.

Additional info:

Potentially a fix/improvement could be to initialize the openssl library in a pop3-login/imap-login "master" process once, then child handling the connection would be forked and use that shared memory (I would expect it's read-only and wouldn't modified so never copied).