metadata-support - Re: [Metadata-Support] significant slowdown in XML Signature validation
Subject: InCommon metadata support
List archive
- From: Jeffrey Eaton <>
- To: "" <>
- Subject: Re: [Metadata-Support] significant slowdown in XML Signature validation
- Date: Tue, 16 Feb 2016 21:05:28 +0000
- Accept-language: en-US
> On Feb 16, 2016, at 3:05 PM, Cantor, Scott
> <>
> wrote:
>
>> With the new eduGAIN containing metadata, we’re seeing a significant
>> slowdown in the time it takes shibd to start up, and this appears to be in
>> the
>> signature validation step.
>
> My impression hasn't been that it's validation time, I've been ascribing it
> to transit time or more likely just the raw DOM parsing time. I don't think
> you can assume it's the signature unless you actually measured that under a
> debugger.
Removing the line:
<MetadataFilter type="Signature" certificate="incommon.pem”/>
makes the startup take about 4 seconds from the first log entry (INFO
OpenSAML.Config : opensaml 2.5.5 library initialization complete) until it’s
ready to respond (INFO Shibboleth.Listener : listener service starting).
That of course eliminates all security of the metadata so not exactly
something that can be done in any sort of real environment.
With the MetadataFilter in place, it takes 90-120 seconds. So something with
the signature process is chewing up a lot of time. I’d probably suspect
something in the XML canonicalization that happens as part of signature
validation. It seemed to be doing a ton of malloc calls, so I suspect that
there’s something in the XML canonicalization that does that, and it
increases exponentially with the size of the metadata file being validated.
There’s likely little that can be done without significant effort into
profiling the XML libraries and seeing exactly what they’re doing. I tried
doing some basic analysis with valgrind / callgrind, but running it under
valgrind just makes it take an absurd amount of time (20+ minutes and
counting).
-jeaton
- [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- [Metadata-Support] RE: significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Ian Young, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/18/2016
- RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/18/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/16/2016
- RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
- Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- [Metadata-Support] RE: significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
Archive powered by MHonArc 2.6.16.