Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[ec2-user@ip-172-31-31-127 ~]$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
**File Processing**
[ec2-user@ip-172-31-31-127 ~]$ ls -la /etc/pki/tls/cert.pem 
lrwxrwxrwx. 1 root root 49 Aug 29 17:21 /etc/pki/tls/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
**Directory Processing**
[ec2-user@ip-172-31-31-127 ~]$ ls -la /etc/pki/tls/certs
total 0
drwxr-xr-x. 2 root root  54 Nov  8 07:41 .
drwxr-xr-x. 5 root root 126 Nov  8 07:41 ..
lrwxrwxrwx. 1 root root  49 Aug 29 17:21 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root  55 Aug 29 17:21 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

the same file (in this case /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) is getting re-processed twice.

The reason for this is that the file we get from OpenSSL (through GetX509RootStoreFile) is also part of the directory we get from OpenSSL (through GetX509RootStorePath).

I see the total time reduced from 103ms to 65ms..

Nice!

cc @adamsitnik

rebased and re-targeted to main..

We would like this to be in the .NET8.0 service release as it will help in all recent RHEL based distros and potentially more.

@tmds @vcsjones @jeffhandley what else needs to be done to get this merged and back ported to .NET 8 ?

what else needs to be done to get ... back ported to .NET 8 ?

It won't be backported to .NET 8. Basically, the only things that get backported to LTS releases are:

• .NET got broken by an OS change
• A significant bug in a v1 feature (fix it early so we don't have to deal with bug-compatibility forever).
• A functional regression from the previous release.
• A significant perf regression from the previous release.

The loader logic hasn't really changed in the last several releases, so I don't think this is addressing a regression. So while a 50% startup reduction for this scenario is good, it's not the sort of thing we do in servicing.

If I'm wrong, and you have numbers that show that the same code was <=80ms to start in .NET 6, but is now over 100ms in .NET 8... then I can submit that as the justification, but there's no guarantee that the servicing review process would take it.

@bartonjs I would request the team to consider as .NET 8 is going to stay for long.

@birojnayak Our customers have a strong preference for stability and minimal churn in servicing. We have our servicing bar documented at https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#servicing. Our backport PRs require written justification that meets this bar.

This issue has been present for number of years. In order to justify backport of the fix, we would need to explain what changed recently that this issue needs backporting now, when we have lived with it for many years. It is not a recent regression. If you can help us to write a valid justification, we can try to get it approved for backport.

(".NET 8 is going to stay for long." is not valid justification for a backport.)

The linked PR describes and implements a workaround in AWS lambda: aws/aws-lambda-dotnet#1661

@jkotas I will leave it you folks to decide if your team wants to backport to .NET 8.0 (as we have solved internally for AWS lambda via the solution I suggested to team). As long as it is coming in .NET9.0 , it's going to help all.

FYI this is how it improves startup on Json Https aspnet apps

this is awesome @sebastienros