Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When specifying a large CA cert file in the configuration (86MB containing a large CRL), dovecot becomes unusable due to following reasons:
1. Every time a user logs in (on POP3 or IMAP port), CPU spins for 3 seconds or more
2. Each imap-login or pop3-login process takes 1GB of memory
Both issues are related to having openssl library load the large cert file in memory and manipulate it into private objects, which seems CPU and memory consuming.
Note that compared to RHEL7 dovecot/openssl, it's better (it was taking 2GB of memory), but it's still not acceptable.
Version-Release number of selected component (if applicable):
dovecot-2.3.8-9.el8.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Setup pop and/or imap protocols + large CA cert
Below are the new lines compared to defaults.
/etc/dovecot/dovecot.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
protocols = pop3 imap
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/etc/dovecot/conf.d/10-master.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
default_vsz_limit = 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/etc/dovecot/conf.d/10-ssl.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ssl_ca = </etc/pki/dovecot/certs/crl-ca.cer
ssl_require_crl = yes
ssl_verify_client_cert = yes
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
2. Copy large CA to /etc/pki/dovecot/certs/crl-ca.cer
3. Start dovecot
4. Use telnet to connect to POP3 (port 995) or IMAP (port 993)
$ telnet localhost 995
Actual results:
CPU spinning for 3 seconds then 1GB memory taken.
Expected results:
No CPU spinning and acceptable memory consumption.
Additional info:
Potentially a fix/improvement could be to initialize the openssl library in a pop3-login/imap-login "master" process once, then child handling the connection would be forked and use that shared memory (I would expect it's read-only and wouldn't modified so never copied).
While there can always be an improvement or more optimized way to do something, in this case it would require big effort and code redesign with high regression risks, more information is needed before we can consider all pros/cons. As the other end was closed and no information was provided, closing this as insufficient data.