ldaps connection takes 3 times longer in EL9 than in EL8/EL7

[secioss-shuu]

This happens in both Rocky Linux 9 and Red Hat Enterprise Linux 9. Just the "new" call takes 3 times more time in EL9 than in EL8. All dependencies are installed by OS default. ie perl 5.32 perl-LDAP 0.68

use Net::LDAP;
my $start = time;
for (my $i=0; $i<1000; $i++) {
    my $ldap = Net::LDAP->new('ldaps://localhost');
}
my $end = time;
print $end-$start;

[whindsx]

There is a significant jump in OpenSSL version from EL8 to EL9. v1.1.1 to v3.x.x. I would assume there in lies the issue.

[secioss-shuu]

Thank you for your advice. Well, I noticed that, and I even tried installing openssl 3.0.3 on EL8, but I still can't reproduce the performance issue on EL8.

[whindsx]

Try 1.x.x on EL9?

[secioss-shuu]

Try 1.x.x on EL9?

This is a little tricky actually.

But I found a way to workaround is just to specify "capath" when calling "new". But I am not yet get the reason.

# seems like ANY path works
my $ldap = Net::LDAP->new('ldaps://localhost', capath =>"/dev/null");

[secioss-shuu]

Try 1.x.x on EL9?

Finally I tried openssl 1.1.1k, perl 5.26 and Net::SSLeay 1.88 on EL9. It woks!

Well, I found that the "new" call even in EL8 is much slower than in EL7, With everything default from the OS, while EL7 takes 1sec, EL8 takes 2sec, and El9 takes 6sec.

But on the EL9 downgrade try, It's fast as in EL7, same as the "capath" workaround.

[whindsx]

For reference can you share the details of your remote LDAP service? TLS version, Active Directory, OpenLDAP, etc..

[secioss-shuu]

For reference can you share the details of your remote LDAP service? TLS version, Active Directory, OpenLDAP, etc..

LDAP services I tried is here, and almost same result on them.

EL7 openldap-servers-2.4.44-21.el7_6.x86_64 TLSv1.2, Cipher is AES256-GCM-SHA384 EL8 389-ds-base-1.4.3.34-1.module+el8.7.0+1179+90e6c9fb.x86_64 TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 EL9 389-ds-base-2.3.6-3.el9_3.x86_64 TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256