Hello, After upgrading from openssl 1.x to 3.x, I've seen significant performance degradation in a particular scenario where wget was used to perform multiple HEAD requests, targeting a server with a self-signed certificate, thus using the option "--check-certificate=quiet". That led me to dig a bit deeper and find an open issue <https://github.com/openssl/openssl/issues/18814>, regarding the speed of "SSL_CTX_load_verify_locations" in openssl 3.x. As a workaround, when the user requests that the certificate is not checked at all, I'd propose to skip CA certificates loading, thus avoiding unnecessary function calls (proposed implementation in "skip-ca-loading.patch").
In addition, when the user sets the quiet flag "-q" and, at the same time, uses the option "--no-check-certificate", I believe the program should behave as if the user had set "--check-certificate=quiet", because the warning would not be printed anyways (proposed implementation in "quiet-cert-check.patch"). Feel free to contact me if you want to discuss further about these possible changes. Thanks for your work! Have a great day! -- Paolo De Santis
skip-ca-loading.patch
Description: Binary data
quiet-cert-check.patch
Description: Binary data
