info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
NSS certutil doesn't properly batch sqlite transactions when adding a cert
34 views
Skip to first unread message
Jeremy Rand
Jan 27, 2018, 2:51:31 PM1/27/18
to dev-se...@lists.mozilla.org
I've been doing some experiments with certutil in sqlite mode, and it
appears that when I add a cert, 2 rows are inserted to the sqlite
database. So far so good. However, based on looking at the source code
(and some cursory ltrace inspection) it definitely looks like each of
those rows is inserted in its own sqlite transaction, rather than
batching the two inserts into a single transaction.
I strongly suspect that this is the reason why adding a cert in sqlite
mode is so slow. (I'm seeing latency of around 800ms on a regular
basis, although I'm on Qubes, so any I/O latency caused by NSS will be
exacerbated on my system.)
Am I correct about NSS currently using 2 transactions to add a cert? Is
there some undocumented trick to fix this, or should I file a Bugzilla
bug? (I'm seriously on the verge of trying to implement an LD_PRELOAD
proxy between NSS and sqlite in order to filter out the extra
transaction commands, but I definitely hope that level of witchcraft
won't be necessary....)
Cheers,
--
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyra...@airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jer...@veclabs.net is having technical issues at the
moment.
appears that when I add a cert, 2 rows are inserted to the sqlite
database. So far so good. However, based on looking at the source code
(and some cursory ltrace inspection) it definitely looks like each of
those rows is inserted in its own sqlite transaction, rather than
batching the two inserts into a single transaction.
I strongly suspect that this is the reason why adding a cert in sqlite
mode is so slow. (I'm seeing latency of around 800ms on a regular
basis, although I'm on Qubes, so any I/O latency caused by NSS will be
exacerbated on my system.)
Am I correct about NSS currently using 2 transactions to add a cert? Is
there some undocumented trick to fix this, or should I file a Bugzilla
bug? (I'm seriously on the verge of trying to implement an LD_PRELOAD
proxy between NSS and sqlite in order to filter out the extra
transaction commands, but I definitely hope that level of witchcraft
won't be necessary....)
Cheers,
--
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyra...@airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jer...@veclabs.net is having technical issues at the
moment.
Franziskus Kiefer
Jan 29, 2018, 4:21:28 AM1/29/18
to Jeremy Rand, dev-se...@lists.mozilla.org
Hi Jeremy,
Am I correct about NSS currently using 2 transactions to add a cert?
It probably does.
Is there some undocumented trick to fix this, or should I file a Bugzilla
> bug?
I don't think that's something that can be changed without code changes.
You should probably file a bug. (I can't guarantee that it'll get fixed
quickly though.)
Cheers,
Franziskus
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
>
Am I correct about NSS currently using 2 transactions to add a cert?
Is there some undocumented trick to fix this, or should I file a Bugzilla
> bug?
You should probably file a bug. (I can't guarantee that it'll get fixed
quickly though.)
Cheers,
Franziskus
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
>
Jeremy Rand
Feb 6, 2018, 2:49:30 AM2/6/18
to dev-se...@lists.mozilla.org
Thanks, I've just filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1435954 .
Cheers,
-Jeremy
Franziskus Kiefer:
https://bugzilla.mozilla.org/show_bug.cgi?id=1435954 .
Cheers,
-Jeremy
Franziskus Kiefer:
0 new messages