Skip to content

Add an in-memory cache for CRLs on Linux#123562

Merged
bartonjs merged 16 commits intodotnet:mainfrom
bartonjs:crl_cache
Feb 11, 2026
Merged

Add an in-memory cache for CRLs on Linux#123562
bartonjs merged 16 commits intodotnet:mainfrom
bartonjs:crl_cache

Conversation

@bartonjs
Copy link
Member

@bartonjs bartonjs commented Jan 23, 2026

Introduce an extra layer of caching for CRLs.

  • The cache has a fixed size of 30 elements. When full, it evicts the least-recently-used entry.
  • Using the same finalizable object sentinel approach as ArrayPool, the cache will purge entries every time the GC finalizes.
    • During a finalize, the current MRU node is marked as what to purge next time.
      • Using that node moves the purge target to the next-older entry before the node is promoted back to MRU.
    • On the subsequent finalize, the marked node (and everything after it) are purged.
  • To avoid finalizing the CRL SafeHandles, the cache does an AddReference on every item that is returned (so the caller must Release it), and it calls Dispose on anything it evicts.

This implementation ignores any finalizations that happen in the first minute of the sentinel object's life, to allow the object a chance to get into Gen2 before hyper-eagerly evicting things.

@bartonjs bartonjs added this to the 11.0.0 milestone Jan 23, 2026
@bartonjs bartonjs self-assigned this Jan 23, 2026
Copilot AI review requested due to automatic review settings January 23, 2026 20:14
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 23, 2026

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

@bartonjs
Copy link
Member Author

bartonjs commented Jan 23, 2026

Testing with a cert that has a large CRL, revocation-enabled chain building is significantly reduced. This is from building a chain 5 times in a row, the last build:

Before:

2026-01-23T19:52:47.746Z: ChainStart - Starting X.509 chain build.
2026-01-23T19:52:47.748Z: FindFirstChainFinished - First build finished with status 0.
2026-01-23T19:52:47.748Z: RevocationCheckStart - Starting revocation check in mode 'Online' with scope 'ExcludeRoot' on a 3-element chain.
2026-01-23T19:52:47.748Z: CrlIdentifiersDetermined - Certificate 'CN=*.redis.cache.windows.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US' has a CRL Distribution Point of 'http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crl', will use '093932f7.a38db5b0.crl' as the cache file.
2026-01-23T19:52:47.748Z: CrlCacheCheckStart - Checking for a cached CRL.
2026-01-23T19:52:48.123Z: CrlCacheAcceptedFile - The cached crl nextUpdate value (2026-01-28T14:33:08.0000000-08:00) is acceptable, using the cached file.
2026-01-23T19:52:48.123Z: CrlCacheCheckStop - Duration 374.733ms
2026-01-23T19:52:48.123Z: CrlIdentifiersDetermined - Certificate 'CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US' has a CRL Distribution Point of 'http://crl3.digicert.com/DigiCertGlobalRootG2.crl', will use '607986c7.8ab5229e.crl' as the cache file.
2026-01-23T19:52:48.123Z: CrlCacheCheckStart - Checking for a cached CRL.
2026-01-23T19:52:48.123Z: CrlCacheAcceptedFile - The cached crl nextUpdate value (2026-02-09T09:43:56.0000000-08:00) is acceptable, using the cached file.
2026-01-23T19:52:48.123Z: CrlCacheCheckStop - Duration 0.225ms
2026-01-23T19:52:48.224Z: CrlChainFinished - With CRLs applied, the chain build finished with status 0.
2026-01-23T19:52:48.224Z: RevocationCheckStop - Duration 476.439ms
2026-01-23T19:52:48.358Z: ChainStop - Duration 611.607ms

After:

2026-01-23T19:53:24.099Z: ChainStart - Starting X.509 chain build.
2026-01-23T19:53:24.101Z: FindFirstChainFinished - First build finished with status 0.
2026-01-23T19:53:24.101Z: RevocationCheckStart - Starting revocation check in mode 'Online' with scope 'ExcludeRoot' on a 3-element chain.
2026-01-23T19:53:24.101Z: CrlIdentifiersDetermined - Certificate 'CN=*.redis.cache.windows.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US' has a CRL Distribution Point of 'http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crl', will use '093932f7.a38db5b0.crl' as the cache file.
2026-01-23T19:53:24.101Z: CrlCacheInMemoryHit - The in-memory CRL cache has a valid entry for the requested CRL, expiration at 2026-01-28T14:33:08.0000000-08:00.
2026-01-23T19:53:24.101Z: CrlIdentifiersDetermined - Certificate 'CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US' has a CRL Distribution Point of 'http://crl3.digicert.com/DigiCertGlobalRootG2.crl', will use '607986c7.8ab5229e.crl' as the cache file.
2026-01-23T19:53:24.101Z: CrlCacheInMemoryHit - The in-memory CRL cache has a valid entry for the requested CRL, expiration at 2026-02-09T09:43:56.0000000-08:00.
2026-01-23T19:53:24.122Z: CrlChainFinished - With CRLs applied, the chain build finished with status 0.
2026-01-23T19:53:24.122Z: RevocationCheckStop - Duration 21.174ms
2026-01-23T19:53:24.122Z: ChainStop - Duration 22.639ms

Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an in-memory LRU cache layer for Certificate Revocation Lists (CRLs) on Linux to improve performance by reducing disk I/O. The cache sits between the caller and the existing disk cache, with a fixed capacity of 30 entries that evicts least-recently-used items when full. The implementation uses a GC-based pruning mechanism similar to ArrayPool, where a finalizable sentinel object triggers periodic cache cleanup to manage memory pressure.

Changes:

  • Added 5 new event source events for tracking in-memory cache hits, misses, expiration, pruning, and capacity events
  • Updated existing event messages to clarify they refer to disk cache operations
  • Implemented MruCrlCache class with thread-safe LRU eviction, reference counting via DangerousAddRef/DangerousRelease, and GC-triggered pruning
  • Refactored CRL loading to check in-memory cache first, then disk cache, then download
  • Added proper SafeHandle management to prevent premature finalization during cache operations

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 12 comments.

File Description
OpenSslX509ChainEventSource.cs Added 5 new event IDs and methods for in-memory cache telemetry; updated existing event messages to distinguish disk cache operations
OpenSslCrlCache.cs Added MruCrlCache class implementing thread-safe LRU cache with GC-based pruning; refactored CRL loading logic to check memory cache before disk; added proper SafeHandle reference management

@grbell-ms
Copy link
Member

grbell-ms commented Jan 23, 2026

This implementation ignores any finalizations that happen in the first minute of the sentinel object's life, to allow the object a chance to get into Gen2 before hyper-eagerly evicting things.

Might be simpler to check directly with GC.GetGeneration

@build-analysis build-analysis bot mentioned this pull request Jan 24, 2026
Open
3 tasks
This was referenced Jan 24, 2026
Open
Open
Open
@build-analysis build-analysis bot mentioned this pull request Jan 28, 2026
Open
3 tasks
vcsjones
vcsjones reviewed Jan 29, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings February 4, 2026 01:31
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

This was referenced Feb 4, 2026
Open
Open
@bartonjs bartonjs requested a review from jkotas February 4, 2026 23:15
@bartonjs
Copy link
Member Author

bartonjs commented Feb 4, 2026

Verified with a high memory utilization app (just makes a bunch of HTTPS requests to a large-enough number of different endpoints that it's not always just one CRL) that purge still runs with the GC.GetGeneration deferral check.

$ grep Prune log
2026-02-04T19:03:52.270Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 1 entries removed, 11 entries remain.
2026-02-04T19:03:53.304Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 1 entries removed, 10 entries remain.
2026-02-04T19:03:53.446Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 7 entries removed, 3 entries remain.
2026-02-04T19:03:55.915Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 2 entries removed, 3 entries remain.
2026-02-04T19:03:57.641Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 4 entries removed, 5 entries remain.
2026-02-04T19:03:58.370Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 2 entries removed, 3 entries remain.
2026-02-04T19:03:59.984Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 1 entries removed, 3 entries remain.
2026-02-04T19:04:04.780Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 2 entries removed, 3 entries remain.
2026-02-04T19:04:06.808Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 2 entries removed, 3 entries remain.
2026-02-04T19:04:09.219Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 2 entries removed, 3 entries remain.
2026-02-04T19:04:10.075Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 1 entries removed, 2 entries remain.
2026-02-04T19:06:23.544Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 5 entries removed, 2 entries remain.
2026-02-04T19:08:53.053Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 4 entries removed, 5 entries remain.
2026-02-04T19:09:36.261Z (2850560): CrlCacheInMemoryPruned - The in-memory CRL cache was pruned. 3 entries removed, 3 entries remain.

jkotas
jkotas approved these changes Feb 9, 2026
View reviewed changes
Copy link
Member

@jkotas jkotas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise

https://github.com/dotnet/runtime/tasks/7c01b926-ef6b-45e1-a062-12462ad7899f is output from our new code review skill. I agree that this change can use some tests, the rest I am not sure.

@bartonjs @jkotas
Update src/libraries/System.Security.Cryptography/src/System/Security…
f38c986 
…/Cryptography/X509Certificates/OpenSslCrlCache.cs

Co-authored-by: Jan Kotas <jkotas@microsoft.com>
Copilot AI review requested due to automatic review settings February 10, 2026 20:42
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

@bartonjs
Apply suggestions from code review
8cf6ad6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 10, 2026 22:43
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

@bartonjs
Apply suggestions from code review
2e13abb 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 10, 2026 23:29
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Copilot AI review requested due to automatic review settings February 11, 2026 00:59
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@bartonjs bartonjs enabled auto-merge (squash) February 11, 2026 01:10
@bartonjs bartonjs merged commit a7341fb into dotnet:main Feb 11, 2026
83 of 96 checks passed
@vcsjones vcsjones mentioned this pull request Feb 11, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcsjones vcsjones vcsjones left review comments

@stephentoub stephentoub stephentoub left review comments

@jkotas jkotas jkotas approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

@bartonjs bartonjs

Labels

area-System.Security tenet-performance Performance related issue

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

5 participants

@bartonjs @grbell-ms @vcsjones @stephentoub @jkotas