Re: Can a ssl3.ca_list be configured on a model file descriptor?

Fri, 24 Sep 2010 23:15:33 -0700 

On 9/21/2010 11:51 AM, Wolter Eldering wrote:

On 9/21/2010 4:52 AM, Wan-Teh Chang wrote:

On Sun, Sep 19, 2010 at 12:39 AM, Wolter Eldering
<wolter.elder...@vanad.com.cn> wrote:


Because we deal with a large number of certificates I've also have some
patches to reduce the number of queries to the sql: type database.
And a patch that will make the NSS_SDB_USE_CACHE=yes perform much
better. We
use NSS_SDB_USE_CACHE=yes so we can access it from gfs2.

What's the best way to submit these patches?


Hi Wolter,

The best way to submit your NSS patches is to
file NSS bug reports on the problems your patches
are intended to address, and then attach the patches
as attachments to the bug reports.

Here is an example:
https://bugzilla.mozilla.org/show_bug.cgi?id=597622

I am especially interested in your patches for
reducing the number of queries to the sql: databases,
and for making the NSS_SDB_USE_CACHE=yes
perform much better. Some of the Linux Chrome
users run into serious SSL performance problems
that were linked to their sql: databases being on
NFS.

Wan-Teh


Hi Wan-Teh,

The patches I made are base on 3.12.6 and I mainly looked where I needed
to improve it for work well with mod_nss. I'll get the latest version of
NSS and Chrome running on a Linux box so I can see what queries are
executed and test the patches i've made.

Regards,
Wolter





I've added my patches and some test results to bug: 
https://bugzilla.mozilla.org/show_bug.cgi?id=595134


I've tested with chrome with a home-dir accessed via NFS


I needed to start chrome like this: "chrome-linux/chrome-wrapper 
--single-process --enable-dnssec-certs" to get the environment variables 
to be seen by chrome


Before patch
C_FindObjectsInit                390        462ms    1184.62us    75.00%
After patch (AND NSS_SDB_USE_CACHE=yes)
C_FindObjectsInit                390         27ms      69.23us    13.78%



I also added the  --enable-dnssec-certs because I noticed from the code 
that CERT_GetCertChainFromCert is called. As far as I can see the whole 
chain will be build with again and again. each certificate in the chain 
takes about 4 sqlite queries.




Regards,
Wolter
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to