pkix_CacheCert_Lookup doesn't return cached certs
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
People
(Reporter: kjacobs, Assigned: rrelyea)
Details
(Whiteboard: [nss-fx])
Attachments
(1 file)
pkix_CacheCert_Lookup doesn't return a result when there's a cache hit: *pFound
is set to PKIX_FALSE
at the outset, then only set (again) to false. We still maintain the table and evict old entries, but since *pFound
is never true, the result isn't returned. This is at odds with the function description.
We might just need to set *pFound
near the point at which selCertList
is appended to, but I haven't tested this.
(this was originally noted in bug 1682044)
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Going with what you suggested, this doesn't seem to cause any test fails.
Comment 2•3 years ago
|
||
Testing with libreswan shows a performance improvement. For instance, in the test ikev2-x509-15-san-dn-mismatch-responder a second attempt to verify a cert chain (cache primed with root cert) the call time [CPU (WALL)] is reduced from times such as:
| "san" #2: spent 9.87 (12.4) milliseconds in find_and_verify_certs() calling verify_end_cert()
| "san" #2: spent 9.97 (11.9) milliseconds in find_and_verify_certs() calling verify_end_cert()
to:
| "san" #2: spent 6.65 (7.07) milliseconds in find_and_verify_certs() calling verify_end_cert()
| "san" #2: spent 7.33 (9) milliseconds in find_and_verify_certs() calling verify_end_cert()
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
Reporter | ||
Updated•2 years ago
|
Description
•