Trouble with signature filter skipping

Guillaume Rousse guillaume.rousse at renater.fr
Mon Sep 10 07:43:07 EDT 2018 

Hello list.

We're experiencing quite long (ie, ~ 4 minutes) shibd startup time, 
since the registering of some proxyfied service in eduGAIN, due to the 
quite large size of eduGAIN metadata (23Mb), and the time required to 
check signature (between 2 and 3 minutes).

After reading this thread 
(http://shibboleth.1660669.n2.nabble.com/SP-Startup-takes-20-minutes-td7624987.html), 
I tried to disable  signature checking for already downloaded metatada 
files, by setting verifyBackup attribute to false:

<MetadataProvider type="XML"
 
url="https://metadata.federation.renater.fr/edugain/preview/preview-idps-edugain-metadata.xml"
   backingFilePath="/var/cache/shibboleth/preview-idps-edugain-metadata.xml"
   reloadInterval="3600">
   <MetadataFilter type="Signature"
     certificate="/etc/pki/tls/certs/renater_metadata_signature.crt"
     verifyBackup="false"/>
</MetadataProvider>

However, it doesn't make any difference, and the signature check still 
requires as much time, ie:
Sep 10 13:13:07 ix1-bv-c7-FedHAproxy-03 shibd: INFO 
OpenSAML.MetadataProvider.XML : loaded XML resource 
(https://metadata.federation.renater.fr/edugain/preview/preview-idps-edugain-metadata.xml)
Sep 10 13:13:11 ix1-bv-c7-FedHAproxy-03 shibd: INFO 
OpenSAML.MetadataProvider : applying metadata filter (Signature)
Sep 10 13:15:05 ix1-bv-c7-FedHAproxy-03 shibd: INFO 
OpenSAML.MetadataProvider.XML : adjusted reload interval to 2700 seconds

I had a look as the sources, and according to my understanding, the 
verifyBackup switch is used in OpenSAML code, and more precisely at 
lines 142-144 of this file:
https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=blob;f=saml/saml2/metadata/impl/SignatureMetadataFilter.cpp;h=97fa2ac41c17c9937d32177fe41b176c22ebfcdc;hb=HEAD

However, I've been unable to produce the expected log message ("Skipping 
SignatureMetadataFilter on load from backup") in the SP logs, despite 
setting the required category in shibd.logger configuration file 
(log4j.category.OpenSAML.MetadataFilter.Signature=DEBUG). Basically, it 
doesn't have any effect, at least with my settings. What am I doing wrong ?

We are running our own builds of the whole stack (shibboleth SP 3.02, 
OpenSAML 3.0, etc...) on CentOS 7.5, if that matters.

As a side note, I also tried adding more virtual CPUs (from 2 to 4), as 
it seems to be the resource bottleneck here. However, I didn't see any 
notable progress, probably because of non-parallelizable code :(

Regards.
-- 
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180910/010fb5d1/attachment.p7s>

More information about the users mailing list