Closed Bug 705265 Opened 13 years ago Closed 13 years ago

SSLServerCertVerification::AuthCertificate invokes full validation twice

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 650307

People

(Reporter: mayhemer, Unassigned)

Details

(Keywords: perf) 

During review of patch for bug 674147 I've discovered we do the full server cert verification two times:

SSLServerCertVerification::AuthCertificate (formerly AuthCertificateCallback) calls PSM_SSL_PKIX_AuthCertificate -> CERT_PKIXVerifyCert and just few lines bellow calls GetIsExtendedValidation -> getValidEVOidTag -> hasValidEVOidTag -> CERT_PKIXVerifyCert.

Call to CERT_PKIXVerifyCert invokes all OCSP requests and all the work to verify the certificate.

Not sure on the solution here, one way could be to encapsulate the verification (call to CERT_*VerifyCert) in nsNSSCertificate and let it cache the result for some time for further use.
And a side note: introduced in bug 406755, worth reading: https://bugzilla.mozilla.org/show_bug.cgi?id=406755#c61
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.