-
-
Notifications
You must be signed in to change notification settings - Fork 30.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 3.0 performance issue: SSLContext.set_default_verify_paths / load_verify_locations about 5x slower #95031
Comments
It is a problem in OpenSSL 3.0. Python upstream does not support OpenSSL 3.0 for good reasons. It has performance and backwards compatibility issue. On my system
By the way you should not combine |
import ssl
import sys
import time
LOOPS = 100
print(sys.version)
print(ssl.OPENSSL_VERSION)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
start = time.monotonic()
for i in range(LOOPS):
ctx.load_verify_locations('/etc/pki/tls/cert.pem')
dur = time.monotonic() - start
print(f"{LOOPS} loops of 'load_verify_locations' in {dur:0.3f}sec") |
Thansk.Example is separate from requests,httpx...... |
I recommend that you raise a bug with OpenSSL. Their |
According to "perf', OpenSSL 3.0 is spending a lot of time in |
Fortunately, the issue is known (so no need to report it once more): openssl/openssl#16791 initial report and openssl/openssl#18814 pointing to a root issue. |
Should we close this as a third party issue? |
As an outsider, it appears to me that there's always going to be a risk of this becoming a severe performance bottleneck as long as python's |
This one bit me today. And it did bite quite hard! Beginning with cPython 3.11.5 (on Windows) we're shipping OpenSSL 3 instead of 1.1 One of my other processes has some more accurate numbers - before:
and after:
Pretty sure you could have cooked coffee on the cpu after that. On the upper level I'm using the requests library in my code and there where two solutions to the problem:
I used Method 2, but now I need to stay on Python 3.11.4 for all eternity. Hopefully this will be fixed some day soon. Hope this post helps other people with the same problem. I will see if I'll add some info to the linked OpenSSL Issues also. |
As a quick solution: I'm a little bit sad that people will say that Python is dog-slow when really it isn't our fault. But saying "not our fault" won't help much here. Having a plan B would be great. |
(Another workaround - if you're only connecting to one or a few hosts you may find that you're able to put together a custom, extremely minimal ca bundle with only the root cert(s) you need. This will be much faster to parse, though will have the same caveats as pinning certificates) |
Also one can only use |
Python has a cache for certificate verification: SSLContext. The simplest solution for your performance problem is a single SSLContext object for all your TLS client connection. Most client application only need a single SSLContext object during their lifetime. You configure the SSLContext according to your security profile, load the trust anchors, and then pass the object to your connection function. Then you have to pay the price for CA loading just once. SSLContext is thread and async-safe. If you are using requests or httpx, then you want to make use of |
@tiran Using a Requests Session was great advice and it speeds up things considerably. But still we're cooking the cpu quite good. This is Python 3.11 without a Requests Session:
And Python 3.11 with a Requests Session:
This is Python 3.12 without a Requests Session:
And Python 3.12 with a Requests Session:
I could live with that, so Python 3.12 is not a no-go anymore - thanks a lot for your advice! |
Is this official? If yes, can it be added to the documentation? I am asking, because the slowness with |
Others have mentioned how bad it is on Windows, but just to demonstrate it clearer here. Using a slightly modified code based on this, loading
|
Bug report
Example code in ubuntu20.04(openssl1.1) is much faster than ubuntu22.04(openssl3.x)
Not just speed, CPU occupancy ubuntu22.04(openssl3.x) is many times of ubuntu20.04(openssl1.1)
I'm not sure whether it's OpenSSL or Python adaptation problem
in my environment with docker:
Your environment
The text was updated successfully, but these errors were encountered: