In the issue (#3156) discussion "composer is very slow" on the Composer GitHub page is suggested to
re-define the packagist repo with a https:// url in the global config using:
$ composer config --global repo.packagist composer https://packagist.org
That should work around the downgrade issue, but it'd be interesting to resolve it of course.
It really brings a appreciable speed boost. I've just tested this for Zend Framework 2 (see test below).
How does it work? (Why does disabling of the allow_ssl_downgrade option make the process faster?)
EDIT
I run composer create-project zendframework/zendframework combining two factors: cache and the re-defining the packagist repo with turning allow_ssl_downgrade off. I got following results for the resulting four cases:
Default configs:
config: default ([repositories.packagist.url] https?://packagist.org, [repositories.packagist.allow_ssl_downgrade] true)
cache: empty (composer clear-cache)
result: 3m38s
config: default ([repositories.packagist.url] https?://packagist.org, [repositories.packagist.allow_ssl_downgrade] true)
cache: not empty
result: 54s
config: changed ([repositories.packagist.url] https://packagist.org)
cache: empty (composer clear-cache)
result: 3m34s
config: changed ([repositories.packagist.url] https://packagist.org)
cache: not empty
result: 56s
Summary: The "trick" with disabling allow_ssl_downgrade brings no speed boost.
Nevertheless it would be nice to know: What does the allow_ssl_downgrade option actually do? (What does this "downgrading" mean? What are the advantages and disadvantages?)
Because the second time you run composer create-project zendframework/zendframework it took everything from composer's cache instead of downloading it again!
You can see that it outputs something like the following where it say Loading from cache if you run it a second time:
Installing zendframework/zendframework (2.5.2)
- Installing zendframework/zendframework (2.5.2)
Loading from cache
Make sure to run composer clear-cache between your tests to get reliable results.
If we have a look into Composer's source code we can find this line:
if ($this->allowSslDowngrade) {
$this->url = str_replace('https://', 'http://', $this->url);
}
If allowSslDowngrade = true
The main file is retrieved over https (see here) the rest over http because that's a way faster. The integrity of the other files are checked via the sha256, which should be sufficient protection against MITM attacks.
If allowSslDowngrade = false
Everything is retrieved over https
The differences in your measurements might be the result of varying Internet speed or server cpu/network load or something.