From 13674e54bc4464029a571e67b33c85738f63a4f5 Mon Sep 17 00:00:00 2001
From: ShenHongFei <shen.hongfei@outlook.com>
Date: Wed, 18 Dec 2024 15:15:24 +0800
Subject: [PATCH] src: modify SecureContext::SetCACert to not use root_certs

---
 src/crypto/crypto_context.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index aa5fc61f19e435..368b81cdd66392 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -785,8 +785,11 @@ void SecureContext::SetCACert(const BIOPointer& bio) {
   if (!bio) return;
   while (X509Pointer x509 = X509Pointer(PEM_read_bio_X509_AUX(
              bio.get(), nullptr, NoPasswordCallback, nullptr))) {
+    // Get the existing cert store from the SSL context
+    // instead of GetCertStoreOwnedByThisSecureContext()
+    // to avoid creating X509_STORE based on root_certs, which is very slow
     CHECK_EQ(1,
-             X509_STORE_add_cert(GetCertStoreOwnedByThisSecureContext(),
+             X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx_.get()),
                                  x509.get()));
     CHECK_EQ(1, SSL_CTX_add_client_CA(ctx_.get(), x509.get()));
   }