Please report any other irregularities here.
Christian Kaiser found that a large percentage of the time spent in handling an SSL server socket was spent in the PR_Accept call. PR_Accept calls ssl_accept, which calls ssl_DupSocket, which calls CERT_CertChainFromCert(), which takes a LONG time. This begs the question: Why does CERT_CertChainFromCert() take SO LONG?? But it also begs the question: why look up the cert chain for the same server cert over and over. Why not just duplicate the CERTCertificateList in the listen socket? Or, better yet, why not reference count that CERTCertificateList and just bump the ref count? I've looked at this briefly. I'm confident that the CERTCertificateList can be duplicated with MUCH less work than building it by looking up the chain again. I have coded a function to duplicate the CERTCertificateList, and am waiting for another bug to be fixed before I can test my change. I need to study all the code that uses the CERTCertificateList structs before I'll know if ref counting will work.
target == NSS 3.0
Target Milestone: --- → 3.0
Fixed by these checkins : /cvsroot/mozilla/security/nss/lib/certdb/cert.h,v <-- cert.h new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v <-- certhigh.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v <-- sslsock.c new revision: 1.3; previous revision: 1.2 However, I'm going to leave this bug open because I want to investigate an even better fix, namely ref counting (instead of duplicating) the CERTCertificateList.
Target Milestone: 3.0 → 3.1
Change target fix version to 3.0.1
Target Milestone: 3.1 → 3.0.1
I'm marking this fixed, now that the fix has gone into 3.0.1
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.