Skip to content

[release/10.0] Add an in-memory cache for CRLs on Linux#127574

Merged
hoyosjs merged 16 commits into
release/10.0from
backport/pr-123562-to-release/10.0
May 5, 2026
Merged

[release/10.0] Add an in-memory cache for CRLs on Linux#127574
hoyosjs merged 16 commits into
release/10.0from
backport/pr-123562-to-release/10.0

Conversation

@github-actions

@github-actions github-actions Bot commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Backport of #123562 to release/10.0

Customer Impact

  • Customer reported
  • Found internally

Customers have been reporting "memory leaks" on Linux related to CRL processing for quite a while. These "leaks" aren't actual leaks, but an interaction with how OpenSSL processes CRLs (using many small calls to malloc), and glibc memory arenas and small-allocation caching -- glibc holds onto the small allocs from free so it can hand them out again later.

Because we handle CRLs by loading them, checking them, and discarding them, a process that does a lot of revocation checks will end up checking the CRL on every thread, and thus can end up with large "reserved" memory for their process. As the size of the CRL goes up, the number of threads goes up, and memory limits come down (e.g. Kubernetes) the reserved memory becomes more of a potential problem.

This change (originally introduced for 11 preview 3) changes the CRL processing to use an in-memory bounded MRU cache with GC cooperation. So, a process that repeatedly hits the same endpoints over and over (or even multiple endpoints from the same CA+CRL) ideally only ever has to load the CRL once (unless it expires). Since it isn't freed while still in use, it doesn't contribute to small-allocation accumulation.

Regression

  • Yes
  • No

Testing

As with the PR into main, most of the tests are existing tests. A new test is included to show cross-process disk cache recovery.

Risk

Medium-Low. The MRU cache isn't just a drop-in layering piece, so the volume of code carries inherent risk. The risk is largely mitigated by a large amount of coverage from unit tests, and manual stress tests against the feature when it was written in main (cycling through a few hundred HTTPS hosts randomly across several threads while doing a large amount of background memory allocation/deallocation).

Users experiencing the high RES memory problem on Linux have reported that .NET 11 Preview 3 ameliorated the problem. Otherwise, no feedback has been received regarding the change (implying that it has not caused a problem for anyone).

@dotnet-policy-service

Copy link
Copy Markdown
Contributor

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels May 5, 2026
@hoyosjs hoyosjs merged commit fc46e69 into release/10.0 May 5, 2026
95 of 98 checks passed
@hoyosjs hoyosjs deleted the backport/pr-123562-to-release/10.0 branch May 5, 2026 17:09
@snakefoot

Copy link
Copy Markdown
Contributor

Guess it should be assigned the upcoming milestone 10.0.9 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-System.Security Servicing-approved Approved for servicing release

4 participants