Re: Can a ssl3.ca_list be configured on a model file descriptor?
On Tue, Nov 9, 2010 at 9:23 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Hi Wan-Teh, I was wondering if you found my patches useful? Or maybe I can help in any way. Hi Wolter, Thank you for attaching your patches and test results to bug 595134: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 I'm sorry that I had not reviewed your patches until you pinged me. I believe that the performance problem that some Linux Chrome users ran into is different, because they don't have any certificates in the NSS certificate DB. Their performance problem is caused by merely accessing the NSS certificate DB in a network filesystem (NFS to be specific). I looked at your patches quickly, and I can tell you understand what the problem is. I'll need to ask Bob Relyea to review your patches, as he knows SQLite much better than I do. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
Hi Wan-Teh, I was wondering if you found my patches useful? Or maybe I can help in any way. Regards, Wolter On 9/26/2010 9:07 AM, Wolter Eldering wrote: On 9/26/2010 1:39 AM, Wan-Teh Chang wrote: On Fri, Sep 24, 2010 at 11:12 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: I've added my patches and some test results to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 Thank you very much! I needed to start chrome like this: chrome-linux/chrome-wrapper --single-process --enable-dnssec-certs to get the environment variables to be seen by chrome You should not use the --single-process option. It is intended for testing only. I know the main reason for using this option is to get one integrated timing report using when using NSS_DEBUG_PKCS11_MODULE=NSS Internal PKCS #11 Module You may have misunderstood the effects of --enable-dnssec-certs. I seem to remember with --enable-dnssec-certs, Chrome will still go through the normal certificate verification code path if the server's certificate (or rather, public key) is not in DNS. Wan-Teh I did not study the chrome sources in detail. I just have a quick look how NSS is used. I noticed they call CERT_GetCertChainFromCert. Many queries are required to build the chain, especially when the chain is long. That's also the reason for my other question here: What's the reason for not caching token objects for internal tokens? I use mod_nss and about 250 hosts with SSL enabled, for every call SSL_ConfigSecureServer(PRFileDesc *, CERTCertificate *, SECKEYPrivateKey *, SSL3KEAType) ssl_ConfigSecureServer(ss, cert, NULL, keyPair, kea) CERT_CertChainFromCert(sc-serverCert, certUsageSSLServer, PR_TRUE); The CA chain is 4 deep == 12 queries 250 virtual hosts/SSL_ConfigSecureServer * 12 queries = 3000 qeries I'm now setting up a test CA with a deeper CA chain to do more testing on that. Regards, Wolter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On 9/21/2010 11:51 AM, Wolter Eldering wrote: On 9/21/2010 4:52 AM, Wan-Teh Chang wrote: On Sun, Sep 19, 2010 at 12:39 AM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Because we deal with a large number of certificates I've also have some patches to reduce the number of queries to the sql: type database. And a patch that will make the NSS_SDB_USE_CACHE=yes perform much better. We use NSS_SDB_USE_CACHE=yes so we can access it from gfs2. What's the best way to submit these patches? Hi Wolter, The best way to submit your NSS patches is to file NSS bug reports on the problems your patches are intended to address, and then attach the patches as attachments to the bug reports. Here is an example: https://bugzilla.mozilla.org/show_bug.cgi?id=597622 I am especially interested in your patches for reducing the number of queries to the sql: databases, and for making the NSS_SDB_USE_CACHE=yes perform much better. Some of the Linux Chrome users run into serious SSL performance problems that were linked to their sql: databases being on NFS. Wan-Teh Hi Wan-Teh, The patches I made are base on 3.12.6 and I mainly looked where I needed to improve it for work well with mod_nss. I'll get the latest version of NSS and Chrome running on a Linux box so I can see what queries are executed and test the patches i've made. Regards, Wolter I've added my patches and some test results to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 I've tested with chrome with a home-dir accessed via NFS I needed to start chrome like this: chrome-linux/chrome-wrapper --single-process --enable-dnssec-certs to get the environment variables to be seen by chrome Before patch C_FindObjectsInit390462ms1184.62us75.00% After patch (AND NSS_SDB_USE_CACHE=yes) C_FindObjectsInit390 27ms 69.23us13.78% I also added the --enable-dnssec-certs because I noticed from the code that CERT_GetCertChainFromCert is called. As far as I can see the whole chain will be build with again and again. each certificate in the chain takes about 4 sqlite queries. Regards, Wolter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On Fri, Sep 24, 2010 at 11:12 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: I've added my patches and some test results to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 Thank you very much! I needed to start chrome like this: chrome-linux/chrome-wrapper --single-process --enable-dnssec-certs to get the environment variables to be seen by chrome You should not use the --single-process option. It is intended for testing only. The filesystem speed test in NSS softoken is broken with the current version of sqlite, so we have to set the environment variable NSS_SDB_USE_CACHE=yes to force it to use cache. I remember I also had to start chrome from the command line to get the NSS_SDB_USE_CACHE=yes environment variable to be seen by chrome. Or I may have modified the chrome wrapper script to set the environment variable in it. I also added the --enable-dnssec-certs because I noticed from the code that CERT_GetCertChainFromCert is called. As far as I can see the whole chain will be build with again and again. each certificate in the chain takes about 4 sqlite queries. You may have misunderstood the effects of --enable-dnssec-certs. I seem to remember with --enable-dnssec-certs, Chrome will still go through the normal certificate verification code path if the server's certificate (or rather, public key) is not in DNS. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On 9/26/2010 1:39 AM, Wan-Teh Chang wrote: On Fri, Sep 24, 2010 at 11:12 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: I've added my patches and some test results to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 Thank you very much! I needed to start chrome like this: chrome-linux/chrome-wrapper --single-process --enable-dnssec-certs to get the environment variables to be seen by chrome You should not use the --single-process option. It is intended for testing only. I know the main reason for using this option is to get one integrated timing report using when using NSS_DEBUG_PKCS11_MODULE=NSS Internal PKCS #11 Module You may have misunderstood the effects of --enable-dnssec-certs. I seem to remember with --enable-dnssec-certs, Chrome will still go through the normal certificate verification code path if the server's certificate (or rather, public key) is not in DNS. Wan-Teh I did not study the chrome sources in detail. I just have a quick look how NSS is used. I noticed they call CERT_GetCertChainFromCert. Many queries are required to build the chain, especially when the chain is long. That's also the reason for my other question here: What's the reason for not caching token objects for internal tokens? I use mod_nss and about 250 hosts with SSL enabled, for every call SSL_ConfigSecureServer(PRFileDesc *, CERTCertificate *, SECKEYPrivateKey *, SSL3KEAType) ssl_ConfigSecureServer(ss, cert, NULL, keyPair, kea) CERT_CertChainFromCert(sc-serverCert, certUsageSSLServer, PR_TRUE); The CA chain is 4 deep == 12 queries 250 virtual hosts/SSL_ConfigSecureServer * 12 queries = 3000 qeries I'm now setting up a test CA with a deeper CA chain to do more testing on that. Regards, Wolter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On Sun, Sep 19, 2010 at 12:39 AM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Because we deal with a large number of certificates I've also have some patches to reduce the number of queries to the sql: type database. And a patch that will make the NSS_SDB_USE_CACHE=yes perform much better. We use NSS_SDB_USE_CACHE=yes so we can access it from gfs2. What's the best way to submit these patches? Hi Wolter, The best way to submit your NSS patches is to file NSS bug reports on the problems your patches are intended to address, and then attach the patches as attachments to the bug reports. Here is an example: https://bugzilla.mozilla.org/show_bug.cgi?id=597622 I am especially interested in your patches for reducing the number of queries to the sql: databases, and for making the NSS_SDB_USE_CACHE=yes perform much better. Some of the Linux Chrome users run into serious SSL performance problems that were linked to their sql: databases being on NFS. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On 9/21/2010 4:52 AM, Wan-Teh Chang wrote: On Sun, Sep 19, 2010 at 12:39 AM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Because we deal with a large number of certificates I've also have some patches to reduce the number of queries to the sql: type database. And a patch that will make the NSS_SDB_USE_CACHE=yes perform much better. We use NSS_SDB_USE_CACHE=yes so we can access it from gfs2. What's the best way to submit these patches? Hi Wolter, The best way to submit your NSS patches is to file NSS bug reports on the problems your patches are intended to address, and then attach the patches as attachments to the bug reports. Here is an example: https://bugzilla.mozilla.org/show_bug.cgi?id=597622 I am especially interested in your patches for reducing the number of queries to the sql: databases, and for making the NSS_SDB_USE_CACHE=yes perform much better. Some of the Linux Chrome users run into serious SSL performance problems that were linked to their sql: databases being on NFS. Wan-Teh Hi Wan-Teh, The patches I made are base on 3.12.6 and I mainly looked where I needed to improve it for work well with mod_nss. I'll get the latest version of NSS and Chrome running on a Linux box so I can see what queries are executed and test the patches i've made. Regards, Wolter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On 9/19/2010 11:48 AM, Nelson B Bolyard wrote: On 2010-09-16 00:54 PDT, Wolter Eldering wrote: Hi, I have configured a model file descriptor using SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *list) The ssl3.ca_list information set in the model is not copied into the new file descriptor when calling PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); Thank you for filing the bug report in bugzilla. Could it be that the SSL_SetTrustAnchors() should be called every time on the PRFileDesc returned by SSL_ImportFD()? That's not the intent, but it probably works as a work-around. Hi Nelson, If called SSL_SetTrustAnchors() for every connection as a work-arround. Every time the CERTCertList has the be converted into a CERTDistNames using CERT_DistNamesFromCertList. I'm using this code in a patch for mod_nss so we can control the list of acceptable CA's for client authentication. Because we deal with a large number of certificates I've also have some patches to reduce the number of queries to the sql: type database. And a patch that will make the NSS_SDB_USE_CACHE=yes perform much better. We use NSS_SDB_USE_CACHE=yes so we can access it from gfs2. What's the best way to submit these patches? Regards, Wolter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can a ssl3.ca_list be configured on a model file descriptor?
On 2010-09-16 00:54 PDT, Wolter Eldering wrote: Hi, I have configured a model file descriptor using SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *list) The ssl3.ca_list information set in the model is not copied into the new file descriptor when calling PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); Thank you for filing the bug report in bugzilla. Could it be that the SSL_SetTrustAnchors() should be called every time on the PRFileDesc returned by SSL_ImportFD()? That's not the intent, but it probably works as a work-around. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Can a ssl3.ca_list be configured on a model file descriptor?
Hi, I have configured a model file descriptor using SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *list) The ssl3.ca_list information set in the model is not copied into the new file descriptor when calling PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); Could it be that the SSL_SetTrustAnchors() should be called every time on the PRFileDesc returned by SSL_ImportFD()? Regards, Wolter Eldering -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto