2082785 – dovecot is unusable when having a large CA cert file

Bug 2082785 - dovecot is unusable when having a large CA cert file

Summary: dovecot is unusable when having a large CA cert file

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dovecot
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Hlavinka
QA Contact:	CS System Management SST QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-07 07:48 UTC by Renaud Métrich
Modified:	2023-08-16 10:55 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-121316	0	None	None	None	2022-05-07 08:12:48 UTC

Description Renaud Métrich 2022-05-07 07:48:06 UTC

Description of problem:

When specifying a large CA cert file in the configuration (86MB containing a large CRL), dovecot becomes unusable due to following reasons:
1. Every time a user logs in (on POP3 or IMAP port), CPU spins for 3 seconds or more
2. Each imap-login or pop3-login process takes 1GB of memory

Both issues are related to having openssl library load the large cert file in memory and manipulate it into private objects, which seems CPU and memory consuming.

Note that compared to RHEL7 dovecot/openssl, it's better (it was taking 2GB of memory), but it's still not acceptable.

Version-Release number of selected component (if applicable):

dovecot-2.3.8-9.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Setup pop and/or imap protocols + large CA cert

Below are the new lines compared to defaults.

/etc/dovecot/dovecot.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
protocols = pop3 imap
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-master.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
default_vsz_limit = 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/etc/dovecot/conf.d/10-ssl.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ssl_ca = </etc/pki/dovecot/certs/crl-ca.cer
ssl_require_crl = yes
ssl_verify_client_cert = yes
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Copy large CA to /etc/pki/dovecot/certs/crl-ca.cer

3. Start dovecot

4. Use telnet to connect to POP3 (port 995) or IMAP (port 993)

$ telnet localhost 995

Actual results:

CPU spinning for 3 seconds then 1GB memory taken.

Expected results:

No CPU spinning and acceptable memory consumption.

Additional info:

Potentially a fix/improvement could be to initialize the openssl library in a pop3-login/imap-login "master" process once, then child handling the connection would be forked and use that shared memory (I would expect it's read-only and wouldn't modified so never copied).

Note You need to log in before you can comment on or make changes to this bug.