Re: cert8.db and CRLs
Patrick, POC wrote: I have to large CRLs, one is ~2.3MB the other ~2.7MB that I have successfully imported in my cert8.db. I actually see the 2 files created in cert8.dir. Check that crlutil -d . -L can decode and list the CRLs properly. However now my NSS server app core dumps... Without the stack trace and the version of NSS you are using, we can't help you. It does NOT dump when the CRLs are DELETED from the cert db...The puzzling thing is that NSS should not be even touching these CRLs since my client is connecting anonymously... NSS may use the CRLs when verifying any certificate from the CRL issuer. Even though your clients are not connecting with client auth, it is possible that your server is doing other PKI operations with NSS that end up using the CRL.
Re: cert8.db and CRLs
What other PKI operations my server could be doing with NSS v3.8 that would involve CRLs if all my clients are connecting anonymously? In any case, I did more investigating and it looks like the Bus error which is causing the app to dump core is being caused by the system running out of system swap space, or at least running so low that the NSS app dumps core. I noticed that my server app process virtual mem size goes up to ~12MB (when the CRLs are imported in the cert db) and since my app is multi-processed there can be up to 10 processes like this, which causes the swap space to be used up very quickly...Is it normal for an NSS server app to grow that much? What would it grow markedly more when the CRLs are imported? It looks like the CRLs are loaded in memory even when not needed? -- P
cert8.db and CRLs
I have to large CRLs, one is ~2.3MB the other ~2.7MB that I have successfully imported in my cert8.db. I actually see the 2 files created in cert8.dir. However now my NSS server app core dumps...It does NOT dump when the CRLs are DELETED from the cert db...The puzzling thing is that NSS should not be even touching these CRLs since my client is connecting anonymously... My NSS server app is a multi-process app that initializes the sec dbs multiple times like the app in security\nss\cmd\selfserv.c. -- POC
Re: cert8.db and CRLs
POC wrote: I have to large CRLs, one is ~2.3MB the other ~2.7MB that I have successfully imported in my cert8.db. I actually see the 2 files created in cert8.dir. However now my NSS server app core dumps...It does NOT dump when the CRLs are DELETED from the cert db...The puzzling thing is that NSS should not be even touching these CRLs since my client is connecting anonymously... My NSS server app is a multi-process app that initializes the sec dbs multiple times like the app in security\nss\cmd\selfserv.c. Could you post the stack trace in the core dump? If possible, use the debug NSS libraries to get a better stack trace. Please let us know the NSS version so that we know which source tree we should examine. Wan-Teh
cert8.db and CRLs
Does the cert8.db certificate database upgrade introduced in NSS 3.7 fix the CRL problem seen in cert7.db whereby large CRLs would corrupt the database? -- POC