Let's Encrypt certificate validation too slow on Linux #29706
Description
After the fix of https://github.com/dotnet/corefx/issues/35086, X509Chain build sees a big perf improvement, but for Let's Encrypt certificate, it is still too slow.
using System;
using System.Diagnostics;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
namespace x509perf
{
public class TestLetsEncrypt
{
private static readonly byte[] s_testLetsEncryptCertBytes = Convert.FromBase64String(@"MIILoQIBAzCCC2cGCSqGSIb3DQEHAaCCC1gEggtUMIILUDCCBgcGCSqGSIb3DQEHBqCCBfgwggX0AgEAMIIF7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIYhr1K5Dm8kCAggAgIIFwB6uJ/MzNM9va1naRU8UoU4jzslvwqMfWZoCPzKK1TmfyrIiBd4g9WBnzHq2VQ837L2apmv/rHPLkWcF+H/PKlA42wU86QSmSGCv81HLzDdU38F45VG92hu3nd6xWT+ngp+SUFB/WTpDkDtMgyUGy9ZOJr2llOfbj12QzEmWgs55QY3kcbbnIlcGiL2MoWVUR6qPWEkpw6y04nKrh6OJYXaaThyvuAS9qfWHcobHahCCnC5YcfzfPngEspbsIYTgBq5kDKjZolMqdiH+vvnes6gQdV+1tGpGEWFkzpkyYtIeZVIAbxHKX8ID3ZOqhcMpURniitM03/mpuvCFsFUwGpCI4VSYoz16GqKBRGDvc+mcKqCd1QKuHawjfLmpCRtAMKxtCfUJxLCqZ8NqDXNLxxik+yRHlqSSC3epT2pBkEdSKXx8o9E5EEPYwZNdbAA3ZIFzv6SNzhmkQs5GmoArgxN+Onp3gL3h7/fsrwqblugYGUsLRlvlcuw80P2j6zmEDCsVNBNs2DtaWB7xBRedYS5r1JByakWMBN0R8TjxHEOtvsx52omNcx2iEoFH16cVpuF+YcEuHI17i04QvxVChLlRQ8sEYcg25F7RDHALVKfsoj6aEetXsaFcKeLLTFJLXVe+voxc95eSrZl36zsTREihpYqjJOaEKnxY7C1joQpnixie9hKSkD4kQ1qtz4m5Jej4N/a8Zynv1C0YPKfOjj6ggZGby9cOFNjIt9NEwdlZoXIY7QpfazRDE6JKtnEEx6/VVVB9e6tMAk2lPe41vQ0CQouZk2m/GEyAd/54IbHKKisVWnD/m2QUnoFyb9ATKbWPnXf6DUG7MA71On7DT060jJj2SxMgRMcgnd5Dn55DhKcHXP1sMv/4KTRUEIJfqj4qqq2wu+JsMeVnoHtSJuHnUfcXz8Z91xMK2jRnM8Vrm1VVwg0HrXbp7vllJcEoAbSGOk6+cxvGkxTtoEU4LiduFOHHBQ/Fr1X79qZs1pMMuK75Qk3YUdQr4fd+pNH1gW4k5NpJx/VrktZlDzA3wkI01LMyyOkBt+qL9eiIJd9RlPT/NZLui5OtCZVQZcQWLbtaVH2zGh6BXG0/TxgCGgzNzXNJ7IPrl8DNPIyeuad6J5Yzo+gtso5d96oz94xub5rm9fCnIKGvptmFLBtA2KMiB77gHXSDPlQW2/4uYjHBqz1CUz5CHdQSktcihiVep/dq51N1INbAmJd7Ph4qmvDNUhyXoSda44hIoJjrJcKNHIZG3TAza/XmdaM/OINu93nc09+P5Mjh6kUOJlzBZYFdVieAveX6SK5XZ/6YF6sOBFga5DBdqMdnPwj2T+GC7FneadFi2bSDWvimOU80qKijO9iexCVjzh+J7E8novtWXZOGgocdYcmz4Z8UmXwG5GdLjH2/SiwJ4GEMReUILgbGtTp6FOTZ58hp0XEnzFpbXo7w5VvP/Gcupqjicn4KcP6bkeCIVid6c1UDNttEbAhvz35wkqR9gOI+gwoD1ynQxPkDJijTy1vhGdLb+DCDDAmOzI7KeQYUz8esFe3jOLGJseoiE7/VB/Uqo0JcL/gYbfPqV1IlnT0XO+Bam8tcf8XjCTUvEL7bjzCAGB5k7nF/8BFm1nQdV6UiCqwyOdGWNdarNpgBmC5DW6HVOtm+q0rIPIqF53mjfPtBKRNiUGaqd6I5U1TZvNyI7IVl0XIeJKpK4SvSEHWNyCxSgvTLqalm4xH8HusmdXH1U1vSzjjSFI5wpBpsK1RJqrLX7vcycYz3R8eLJGQWhFwaLAry5kFxMTXgeOouI6sZMcVLn6MF5x2Q0rXMoXarRMS/mfGS+n4DUsDXcTMaP/ovImqB/Y2Qg0fvkqn0T7sHGgrZIqyJRNvXXKcr8xOXiVGtX1vSDF8naUzPIeuq8nrjlKhBYh9P1b4fFx0G7DOaaT99EovJDHqaBq57xy5wG9QMT5nCMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECF2w3jv50/WKAgIIAASCBMiiHC/GRrCZWDllMpcz5SJfzD/p1/T6uIpn0ExvYgL3RpMEi4jmDOEVdgltdYQcqYos+iSBCPW0IpDcZtjL4LYO6RbItAd5HihqU9A9RFUi3Ps7y0PMxwaDZizSTBv8xtjT/EObhOxYqWiO0FBTf+g38ubuuY4aS7XvqVSL+mHDg0MpIaB92psAg4dp+61qZ08VQJgHeQ1dFz2qSCq6hFZtBKjV8JScecl5H/rhkR9AUImYGM4pOBMKjlZfMiwjtKFzV7NotlhzOSjJezk5sTgQO/WOQ+LwasIdeX9uHad0V7Ed9OxROBR8+Y67tFyPj/iQS+/G+KGEatmW607LOjroDcYVpxpOahfvl64b8eyXqCcg7hGMQqFNinxptQ2tD8ChpYucYJG3hPUe742NPKg3h58dtUKNW4jfuoB4uOEmrvYvHwsvX0uUKvssomOMng+aS1Mjr012NQ634TSmDU3maNtyhq6g4w4hQFUsMipu/gC5+sQHCaum0NdGtvvht1dXQcE6QE27CNIVVwgkcMxKHjoIlSSlfNYppqFe0idgX0+Z2AJ8vTTRNrIgCGYxQ604Wqdsw6D7Ss8S31P++KkoVddDeMoB1WvkLhPXGXlB9pkxSDRVPayOp/7ymTX7zw/tfmsPsGu83M3miNL3naOO1IrZjxPwH5w/qqEoAeSN7HJOZ8wQzBQev1yAKrYkIXj3iS/qZ5R3aoxp8Duq3gGQhlH4wqDrmaNstuggDcPGKUdm3NbJXbUskbAI1R4GCiz6D8Y1Zmz3lmgBa+mBM8Fn1eRkQoCKOp1xTKewfc/kxC7tl1U3RixROmSof+dPQeG5c/WU2QV0XFaqVRQpfiBfu+oYqFsIdKWeSq7J9dfRM930cCB/k9scvSe5udHDSlbKFtnoVXig9j6EtK/FU2WJBbdffaxGUtmNrH1YWAKWCgVszVK9uYuEdr27oPcxuFg/NiDno3mX7Zqd1FPVKGxC3BP1TIebN4SvS0nOYcAgh3Gqf/pMdEFlkIfo840VYQk9ejlJ4boeHulI6Z+fn7J21lfxzJ2Gao4D/e+PulffH352KMFUWGH/zn7H1g6S9Xgb1IT2NO5joRRQbpguuBkWrb4OxGJoTgiaeDP5hNffxteO+s2lzCPf3y42VL4IBIitv0gF2jxBWJBjEnjg+X/w9OCR3qg35AB+GCjpu8yN5xrR451faRXABbsJLiBgtV7TWkW2AOM9tzWYyazYOuKqImKubedF8gMdpD7eMHY9JYbz3Ef1w036+MAk1qMO7HxSzrlWSFQuhrHeEnP4gxNBm9imBc5k/1KTZS+E7taQLZFmynUegMHH0tenccPGsChtZFJQRiILVkEamCl3mLRhFTtZ/N8cz7xfD5wwLW98Qm7X97AGgeZTEciEqAkKE35FTTbhZTyFHnIfS/fbISVGFWigZmqTfBPrEuqF3yQ0EgFYRUXsK0HeCjcRSbp6v3YERmZC2rnmKkU9oebztxO8LLTqNu5jYU0QKT1EzS8dzDfaamR1t7Bd+Xol/ezS2oCh3db1+bA3QqSyDRsHJyZ2eEUJH/C5yJlxPDLjf9JrI4R2eTg7qL5fDRHZ9caMJf/zGU3U//h+Ka4vxKIyBMrZxb0TFRcd1AQxJTAjBgkqhkiG9w0BCRUxFgQUhMkdBLqBr8Z45KxBw42Pk/U+6lMwMTAhMAkGBSsOAwIaBQAEFG+ms9ZjBQulvwaBgYqdQ+umc9grBAgUIceZtaaZcgICCAA=");
private static X509Certificate2 GetServerLetsEncryptCertificate()
{
var certCollection = new X509Certificate2Collection();
certCollection.Import(s_testLetsEncryptCertBytes, "123456", X509KeyStorageFlags.DefaultKeySet);
return certCollection.Cast<X509Certificate2>().First(c => c.HasPrivateKey);
}
public static void TestLetsEncryptCert()
{
const int Iters = 1000;
var k = 0;
var sw = new Stopwatch();
using (X509Certificate2 originalCert = GetServerLetsEncryptCertificate())
{
while (k < 5)
{
Console.Write($"{Iters} iterations: ");
sw.Restart();
for (int i = 0; i < Iters; i++)
{
using (var chain = new X509Chain())
using (var cert = new X509Certificate2(originalCert))
{
chain.Build(cert);
}
}
sw.Stop();
Console.WriteLine(sw.Elapsed);
k++;
}
}
}
static void Main()
{
TestLetsEncryptCert();
}
}
}On windows, the output:
1000 iterations: 00:00:00.2156929
1000 iterations: 00:00:00.1387840
1000 iterations: 00:00:00.1537569
1000 iterations: 00:00:00.1433948
1000 iterations: 00:00:00.1191109
On Ubuntu 16.04 or 18.04 (either local VM or Azure VM has the same output), the output:
1000 iterations: 00:05:21.7863637
1000 iterations: 00:05:19.6759851
I use iftop command on Ubuntu to check the tcp traffic, and found it connects "apps.digsigtrust.com" when perf test running. This website in fact is "https://www.identrust.com".
It looks like the fix of https://github.com/dotnet/corefx/issues/35086 does not help for this case.