NSS certutil doesn't properly batch sqlite transactions when adding a cert

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

NSS certutil doesn't properly batch sqlite transactions when adding a cert

Jeremy Rand
I've been doing some experiments with certutil in sqlite mode, and it
appears that when I add a cert, 2 rows are inserted to the sqlite
database.  So far so good.  However, based on looking at the source code
(and some cursory ltrace inspection) it definitely looks like each of
those rows is inserted in its own sqlite transaction, rather than
batching the two inserts into a single transaction.

I strongly suspect that this is the reason why adding a cert in sqlite
mode is so slow.  (I'm seeing latency of around 800ms on a regular
basis, although I'm on Qubes, so any I/O latency caused by NSS will be
exacerbated on my system.)

Am I correct about NSS currently using 2 transactions to add a cert?  Is
there some undocumented trick to fix this, or should I file a Bugzilla
bug?  (I'm seriously on the verge of trying to implement an LD_PRELOAD
proxy between NSS and sqlite in order to filter out the extra
transaction commands, but I definitely hope that level of witchcraft
won't be necessary....)

Cheers,
--
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: [hidden email]
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email [hidden email] is having technical issues at the
moment.


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NSS certutil doesn't properly batch sqlite transactions when adding a cert

Franziskus Kiefer
Hi Jeremy,

Am I correct about NSS currently using 2 transactions to add a cert?


It probably does.

Is there some undocumented trick to fix this, or should I file a Bugzilla
> bug?


I don't think that's something that can be changed without code changes.
You should probably file a bug. (I can't guarantee that it'll get fixed
quickly though.)

Cheers,
Franziskus


On Sat, Jan 27, 2018 at 8:50 PM, Jeremy Rand <[hidden email]> wrote:

> I've been doing some experiments with certutil in sqlite mode, and it
> appears that when I add a cert, 2 rows are inserted to the sqlite
> database.  So far so good.  However, based on looking at the source code
> (and some cursory ltrace inspection) it definitely looks like each of
> those rows is inserted in its own sqlite transaction, rather than
> batching the two inserts into a single transaction.
>
> I strongly suspect that this is the reason why adding a cert in sqlite
> mode is so slow.  (I'm seeing latency of around 800ms on a regular
> basis, although I'm on Qubes, so any I/O latency caused by NSS will be
> exacerbated on my system.)
>
> Am I correct about NSS currently using 2 transactions to add a cert?  Is
> there some undocumented trick to fix this, or should I file a Bugzilla
> bug?  (I'm seriously on the verge of trying to implement an LD_PRELOAD
> proxy between NSS and sqlite in order to filter out the extra
> transaction commands, but I definitely hope that level of witchcraft
> won't be necessary....)
>
> Cheers,
> --
> -Jeremy Rand
> Lead Application Engineer at Namecoin
> Mobile email: [hidden email]
> Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
> Send non-security-critical things to my Mobile with OpenPGP.
> Please don't send me unencrypted messages.
> My business email [hidden email] is having technical issues at the
> moment.
>
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSS certutil doesn't properly batch sqlite transactions when adding a cert

Jeremy Rand
Thanks, I've just filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1435954 .

Cheers,
-Jeremy

Franziskus Kiefer:

> Hi Jeremy,
>
> Am I correct about NSS currently using 2 transactions to add a cert?
>
>
> It probably does.
>
> Is there some undocumented trick to fix this, or should I file a Bugzilla
>> bug?
>
>
> I don't think that's something that can be changed without code changes.
> You should probably file a bug. (I can't guarantee that it'll get fixed
> quickly though.)
>
> Cheers,
> Franziskus
>
>
> On Sat, Jan 27, 2018 at 8:50 PM, Jeremy Rand <[hidden email]> wrote:
>
>> I've been doing some experiments with certutil in sqlite mode, and it
>> appears that when I add a cert, 2 rows are inserted to the sqlite
>> database.  So far so good.  However, based on looking at the source code
>> (and some cursory ltrace inspection) it definitely looks like each of
>> those rows is inserted in its own sqlite transaction, rather than
>> batching the two inserts into a single transaction.
>>
>> I strongly suspect that this is the reason why adding a cert in sqlite
>> mode is so slow.  (I'm seeing latency of around 800ms on a regular
>> basis, although I'm on Qubes, so any I/O latency caused by NSS will be
>> exacerbated on my system.)
>>
>> Am I correct about NSS currently using 2 transactions to add a cert?  Is
>> there some undocumented trick to fix this, or should I file a Bugzilla
>> bug?  (I'm seriously on the verge of trying to implement an LD_PRELOAD
>> proxy between NSS and sqlite in order to filter out the extra
>> transaction commands, but I definitely hope that level of witchcraft
>> won't be necessary....)
>>
>> Cheers,
>> --
>> -Jeremy Rand
>> Lead Application Engineer at Namecoin
>> Mobile email: [hidden email]
>> Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
>> Send non-security-critical things to my Mobile with OpenPGP.
>> Please don't send me unencrypted messages.
>> My business email [hidden email] is having technical issues at the
>> moment.
>>
>>
>> _______________________________________________
>> dev-security mailing list
>> [hidden email]
>> https://lists.mozilla.org/listinfo/dev-security
>>
>>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>

--
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: [hidden email]
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email [hidden email] is having technical issues at the
moment.


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security

signature.asc (849 bytes) Download Attachment