Loading credentials in verify callback just as needed ?

Tim Ruehsen tim.ruehsen at gmx.de
Tue Aug 28 12:23:23 CEST 2012 

Hi, maybe you can help me or point me to the right direction.

My problem:
GnuTLS initialization - as used in tools like wget - loads ALL .pem files from 
e.g. /etc/ssl/certs/. This takes 'ages' on slow computers (there are hundreds 
of certificates).
I can't believe that all these certs are needed to handshake one single HTTPS 
connection.

I am looking for a way to just load the needed certs (very likely with the 
verification callback function).

The current code is mainly taken from the GnuTLS example client code.
It's initialization looks like
gnutls_global_init();
gnutls_certificate_allocate_credentials(&credentials);
gnutls_certificate_set_verify_function(credentials,_verify_certificate_callback);
  * now loading all files in ca_directory by calling
gnutls_certificate_set_x509_trust_file(credentials, fname, 
GNUTLS_X509_FMT_PEM);

While handshaking _verify_certificate_callback is called and contains:
gnutls_certificate_verify_peers2()
* do some checks...
gnutls_certificate_get_peers()
gnutls_x509_crt_import()
* do more checks

To reduce startup load, my idea is leaving away
	gnutls_certificate_set_x509_trust_file()
while initialization and call it right before
	gnutls_certificate_verify_peers2()
while handshaking.

But how do I know which files to load right here.
There must be some way to find that out which files/certs are needed.
As far as I know, OpenSSL is doing something similar using some kind of hashes 
(c_rehash).
Does anyone can help ?


FYI, here is a valgrind summary of mget1.14 downloading https://www.google.de 
using GnuTLS 3.0.22 (up-to-date Debian SID)
== HEAP SUMMARY:
==   total heap usage: 1,808,439 allocs, 1,626,939 frees, 168,972,716 bytes 
allocated

same with using OpenSSL
== HEAP SUMMARY:
==   total heap usage: 5,170 allocs, 1,503 frees, 418,739 bytes allocated

and one for http://www.google.de
== HEAP SUMMARY:
==   total heap usage: 454 allocs, 416 frees, 118,981 bytes allocated

Cachegrinding wget/GnuTLS shows a 97% impact lies in 
gnutls_certificate_set_x509_trust_file().
Now you know, why I want to avoid calling it too often.

Regards,

    Tim Ruehsen

More information about the Gnutls-devel mailing list