rocksock: cache SSL contexts to avoid repeated CA store loads

set_default_verify_paths was called per connection (2k+/cycle),
spending ~24s reloading the CA store from disk. Cache two shared
contexts (verify/noverify) at module level instead.

rocksock.py

@@ -21,6 +21,25 @@
 import socket, ssl, select, copy, errno
 import network_stats
 
+# Cached SSL contexts -- avoids reloading CA store from disk on every connection
+_ssl_ctx_noverify = None
+_ssl_ctx_verify = None
+
+def _get_ssl_context(verifycert=False):
+	global _ssl_ctx_noverify, _ssl_ctx_verify
+	if verifycert:
+		if _ssl_ctx_verify is None:
+			_ssl_ctx_verify = ssl.create_default_context()
+			_ssl_ctx_verify.check_hostname = True
+			_ssl_ctx_verify.verify_mode = ssl.CERT_OPTIONAL
+		return _ssl_ctx_verify
+	else:
+		if _ssl_ctx_noverify is None:
+			_ssl_ctx_noverify = ssl.create_default_context()
+			_ssl_ctx_noverify.check_hostname = False
+			_ssl_ctx_noverify.verify_mode = ssl.CERT_NONE
+		return _ssl_ctx_noverify
+
 # rs_proxyType
 RS_PT_NONE = 0
 RS_PT_SOCKS4 = 1
@@ -210,12 +229,7 @@ def RocksockProxyFromURL(url):
 class Rocksock():
 	def __init__(self, host=None, port=0, verifycert=False, timeout=0, proxies=None, **kwargs):
 		if 'ssl' in kwargs and kwargs['ssl'] == True:
-			self.sslcontext = ssl.create_default_context()
+			self.sslcontext = _get_ssl_context(verifycert)
-			self.sslcontext.check_hostname = False
-			self.sslcontext.verify_mode = ssl.CERT_NONE
-			if verifycert:
-				self.sslcontext.verify_mode = ssl.CERT_OPTIONAL
-				self.sslcontext.check_hostname = True
 		else:
 			self.sslcontext = None
 		self.proxychain = []