bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Enhance performance of ssl_DupSocket

RESOLVED FIXED in 3.0.1

Status

NSS
Libraries
P3
normal
RESOLVED FIXED
18 years ago
18 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Christian Kaiser found that a large percentage of the time spent
in handling an SSL server socket was spent in the PR_Accept call.
PR_Accept calls ssl_accept, which calls ssl_DupSocket, which calls
CERT_CertChainFromCert(), which takes a LONG time. 

This begs the question:  Why does CERT_CertChainFromCert() take
SO LONG??

But it also begs the question: why look up the cert chain for 
the same server cert over and over.  Why not just duplicate
the CERTCertificateList in the listen socket?
Or, better yet, why not reference count that CERTCertificateList
and just bump the ref count?

I've looked at this briefly.  I'm confident that the 
CERTCertificateList can be duplicated with MUCH less work than
building it by looking up the chain again.  
I have coded a function to duplicate the CERTCertificateList,
and am waiting for another bug to be fixed before I can test 
my change.

I need to study all the code that uses the CERTCertificateList
structs before I'll know if ref counting will work.
(Assignee)

Updated

18 years ago
Depends on: 51436
(Assignee)

Comment 1

18 years ago
target == NSS 3.0
Target Milestone: --- → 3.0
(Assignee)

Updated

18 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

18 years ago
Fixed by these checkins :
/cvsroot/mozilla/security/nss/lib/certdb/cert.h,v  <--  cert.h
new revision: 1.3; previous revision: 1.2

/cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v  <--  certhigh.c
new revision: 1.3; previous revision: 1.2

/cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v  <--  sslsock.c
new revision: 1.3; previous revision: 1.2

However, I'm going to leave this bug open because I want to investigate
an even better fix, namely ref counting (instead of duplicating) the
CERTCertificateList.
Target Milestone: 3.0 → 3.1
(Assignee)

Comment 3

18 years ago
Change target fix version to 3.0.1
Target Milestone: 3.1 → 3.0.1
(Assignee)

Comment 4

18 years ago
I'm marking this fixed, now that the fix has gone into 3.0.1
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.