On 9/26/2010 1:39 AM, Wan-Teh Chang wrote:
On Fri, Sep 24, 2010 at 11:12 PM, Wolter Eldering
<wolter.elder...@vanad.com.cn> wrote:
I've added my patches and some test results to bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=595134
Thank you very much!
I needed to start chrome like this: "chrome-linux/chrome-wrapper
--single-process --enable-dnssec-certs" to get the environment variables to
be seen by chrome
You should not use the --single-process option. It is intended
for testing only.
I know the main reason for using this option is to get one integrated
timing report using when using NSS_DEBUG_PKCS11_MODULE="NSS Internal
PKCS #11 Module"
You may have misunderstood the effects of --enable-dnssec-certs.
I seem to remember with --enable-dnssec-certs, Chrome will still
go through the normal certificate verification code path if the server's
certificate (or rather, public key) is not in DNS.
Wan-Teh
I did not study the chrome sources in detail. I just have a quick look
how NSS is used. I noticed they call CERT_GetCertChainFromCert. Many
queries are required to build the chain, especially when the chain is long.
That's also the reason for my other question here: "What's the reason
for not caching token objects for internal tokens?"
I use mod_nss and about 250 hosts with SSL enabled, for every call
SSL_ConfigSecureServer(PRFileDesc *, CERTCertificate *,
SECKEYPrivateKey *, SSL3KEAType)
ssl_ConfigSecureServer(ss, cert, NULL, keyPair, kea)
CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer, PR_TRUE);
The CA chain is 4 deep == 12 queries
250 virtual hosts/SSL_ConfigSecureServer * 12 queries = 3000 qeries
I'm now setting up a test CA with a deeper CA chain to do more testing
on that.
Regards,
Wolter
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
