On Thu, Oct 6, 2016 at 7:29 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 04/10/16 19:39, Peter Bowen wrote: >> On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling <rob.stradl...@comodo.com> >> wrote: >>> On 04/10/16 13:18, Nick Lamb wrote: >>>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>>>> Neither. I'd like to run cablint over all certs pre-issuance, but >>>>> unfortunately it's not practical to do this yet because 1) cablint is >>>>> too slow and 2) there are some differences of opinion that have been >>>>> discussed at CABForum but not yet resolved. >>>> >>>> Can you expand on what "too slow" would mean here? Or does it tread too >>>> much on specific commercial performance criteria you don't want to talk >>>> about? >>> >>> Running cablint means firing up the Ruby interpreter, then fork/exec'ing >>> a separate executable umpteen times. IIRC, last time I checked, crt.sh >>> was only managing to cablint ~10 certs per second. (Prior to that, >>> before I'd figured out a way to avoid having to take the "firing up the >>> Ruby interpreter" hit again and again for every single cert, it was only >>> managing to cablint ~3 certs per second). >> >> cablint could be much faster if the asn1 code could be moved in >> process. Doing so requires someone who can work in C and has some >> experience building Ruby extensions. This change would avoid the many >> many fork/exec calls during a single certificate lint. >> >> If anyone is willing to volunteer, I can provide more detail. > > Woo! Matt Palmer accepted the challenge... > > https://github.com/awslabs/certlint/pull/38
And I just finished doing the initial tests. The fork/exec version took 227.427 seconds to check a specific set of certificates. The extension version took 14.306 seconds. A 15x speedup! I'm going to do some more testing, but this looks amazing! Matt rocks! Oh, and it gives better error messages as a side effect ;) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy