Bug 2082785

Summary: dovecot is unusable when having a large CA cert file
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED INSUFFICIENT_DATA QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.5CC: jgamba, sbroz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-13 10:19:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-05-07 07:48:06 UTC
Description of problem:

When specifying a large CA cert file in the configuration (86MB containing a large CRL), dovecot becomes unusable due to following reasons:
1. Every time a user logs in (on POP3 or IMAP port), CPU spins for 3 seconds or more
2. Each imap-login or pop3-login process takes 1GB of memory

Both issues are related to having openssl library load the large cert file in memory and manipulate it into private objects, which seems CPU and memory consuming.

Note that compared to RHEL7 dovecot/openssl, it's better (it was taking 2GB of memory), but it's still not acceptable.

Version-Release number of selected component (if applicable):

dovecot-2.3.8-9.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Setup pop and/or imap protocols + large CA cert

Below are the new lines compared to defaults.

/etc/dovecot/dovecot.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
protocols = pop3 imap
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-master.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
default_vsz_limit = 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-ssl.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ssl_ca = </etc/pki/dovecot/certs/crl-ca.cer
ssl_require_crl = yes
ssl_verify_client_cert = yes
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Copy large CA to /etc/pki/dovecot/certs/crl-ca.cer

3. Start dovecot

4. Use telnet to connect to POP3 (port 995) or IMAP (port 993)

$ telnet localhost 995

Actual results:

CPU spinning for 3 seconds then 1GB memory taken.

Expected results:

No CPU spinning and acceptable memory consumption.

Additional info:

Potentially a fix/improvement could be to initialize the openssl library in a pop3-login/imap-login "master" process once, then child handling the connection would be forked and use that shared memory (I would expect it's read-only and wouldn't modified so never copied).

Comment 4 Michal Hlavinka 2023-09-13 10:19:49 UTC
While there can always be an improvement or more optimized way to do something, in this case it would require big effort and code redesign with high regression risks, more information is needed before we can consider all pros/cons. As the other end was closed and no information was provided, closing this as insufficient data.