On Thu, Oct 6, 2016 at 7:33 AM, Peter Bowen <pzbo...@gmail.com> wrote: > On Thu, Oct 6, 2016 at 7:29 AM, Rob Stradling <rob.stradl...@comodo.com> > wrote: >> On 04/10/16 19:39, Peter Bowen wrote: >>> On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling <rob.stradl...@comodo.com> >>> wrote: >>>> On 04/10/16 13:18, Nick Lamb wrote: >>>>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>>>>> Neither. I'd like to run cablint over all certs pre-issuance, but >>>>>> unfortunately it's not practical to do this yet because 1) cablint is >>>>>> too slow and 2) there are some differences of opinion that have been >>>>>> discussed at CABForum but not yet resolved. >>>>> >>>>> Can you expand on what "too slow" would mean here? Or does it tread too >>>>> much on specific commercial performance criteria you don't want to talk >>>>> about? >>>> >>>> Running cablint means firing up the Ruby interpreter, then fork/exec'ing >>>> a separate executable umpteen times. IIRC, last time I checked, crt.sh >>>> was only managing to cablint ~10 certs per second. (Prior to that, >>>> before I'd figured out a way to avoid having to take the "firing up the >>>> Ruby interpreter" hit again and again for every single cert, it was only >>>> managing to cablint ~3 certs per second). >>> >>> cablint could be much faster if the asn1 code could be moved in >>> process. Doing so requires someone who can work in C and has some >>> experience building Ruby extensions. This change would avoid the many >>> many fork/exec calls during a single certificate lint. >>> >>> If anyone is willing to volunteer, I can provide more detail. >> >> Woo! Matt Palmer accepted the challenge... >> >> https://github.com/awslabs/certlint/pull/38 > > And I just finished doing the initial tests. The fork/exec version > took 227.427 seconds to check a specific set of certificates. The > extension version took 14.306 seconds. A 15x speedup! > > I'm going to do some more testing, but this looks amazing! Matt rocks! > > Oh, and it gives better error messages as a side effect ;)
I did some more testing. Using a single run it now does over 615 certificates per second. Running 16 in parallel processed 8948 per second. So it is pretty fast now :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy