<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [Soup] NetworkProcess spins to 100% CPU usage on HTTPS connections"
   href="https://bugs.webkit.org/show_bug.cgi?id=167420#c1">Comment # 1</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [Soup] NetworkProcess spins to 100% CPU usage on HTTPS connections"
   href="https://bugs.webkit.org/show_bug.cgi?id=167420">bug 167420</a>
              from <span class="vcard"><a class="email" href="mailto:zan&#64;falconsigh.net" title="Zan Dobersek &lt;zan&#64;falconsigh.net&gt;"> <span class="fn">Zan Dobersek</span></a>
</span></b>
        <pre>When establishing HTTPS connections to specific hostnames, a lot of time can be spent under gnutls_x509_crt_check_hostname2() -- in some cases seconds. This can severely affect the NetworkProcess performance or in the case of resource-limited systems even the performance of the whole system.

This is reproducible with GnuTLS 3.5.7.

The 'images.washingtonpost.com' hostname will be used throughout this analysis. On a reasonably powerful Intel CPU, over 2 seconds can be spent under gnutls_x509_crt_check_hostname2() when establishing a secure connection to that server.

The problem in gnutls_x509_crt_check_hostname2() are repetitive calls to gnutls_x509_crt_get_subject_alt_name(). In case of the certificate provided by images.washingtonpost.com, there are 567 subject alternative names available, and the 519th alternative name is the one that matches the hostname that's being checked.

The bottleneck under gnutls_x509_crt_get_subject_alt_name() stems from the fact that for every call, the alternative names are reimported from the certificate through gnutls_x509_ext_import_subject_alt_names(). This function alone takes roughly 4ms on every invocation, so at 519 invocations it does in total consume about 2 seconds.

This is also easily reproducible using the gnutls-cli tool.`gnutls-cli images.washingtonpost.com` takes a few seconds to determine that the certificate is trusted, while `gnutls-cli washingtonpost.com` does that instantly.

gnutls_x509_crt_check_hostname2():
<a href="https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/hostname-verify.c#L181">https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/hostname-verify.c#L181</a>

gnutls_x509_crt_get_subject_alt_name():
<a href="https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/x509.c#L1726">https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/x509.c#L1726</a>

gnutls_x509_ext_import_subject_alt_names():
<a href="https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/x509_ext.c#L215">https://gitlab.com/gnutls/gnutls/blob/gnutls_3_5_x/lib/x509/x509_ext.c#L215</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>