51425 - Enhance performance of ssl_DupSocket

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P3)

Description

[Nelson Bolyard (seldom reads bugmail)]

Christian Kaiser found that a large percentage of the time spent
in handling an SSL server socket was spent in the PR_Accept call.
PR_Accept calls ssl_accept, which calls ssl_DupSocket, which calls
CERT_CertChainFromCert(), which takes a LONG time. 

This begs the question:  Why does CERT_CertChainFromCert() take
SO LONG??

But it also begs the question: why look up the cert chain for 
the same server cert over and over.  Why not just duplicate
the CERTCertificateList in the listen socket?
Or, better yet, why not reference count that CERTCertificateList
and just bump the ref count?

I've looked at this briefly.  I'm confident that the 
CERTCertificateList can be duplicated with MUCH less work than
building it by looking up the chain again.  
I have coded a function to duplicate the CERTCertificateList,
and am waiting for another bug to be fixed before I can test 
my change.

I need to study all the code that uses the CERTCertificateList
structs before I'll know if ref counting will work.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

target == NSS 3.0

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Fixed by these checkins :
/cvsroot/mozilla/security/nss/lib/certdb/cert.h,v  <--  cert.h
new revision: 1.3; previous revision: 1.2

/cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v  <--  certhigh.c
new revision: 1.3; previous revision: 1.2

/cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v  <--  sslsock.c
new revision: 1.3; previous revision: 1.2

However, I'm going to leave this bug open because I want to investigate
an even better fix, namely ref counting (instead of duplicating) the
CERTCertificateList.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

Change target fix version to 3.0.1

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

I'm marking this fixed, now that the fix has gone into 3.0.1