[gnutls-devel] Speedup idea...
nmav at gnutls.org
Sun Aug 28 15:08:45 CEST 2016
On Wed, 2016-08-03 at 10:19 +0200, Tim Ruehsen wrote:
> > This violates the rule that the credentials must be read only after
> > being
> > set on a session, but on client side they are only used during
> > verification. An alternative approach is to verify the peers
> > certificates
> > using a trust list.
> My goal is to only load that CA cert(s) that really have to be
> against. I need to create a hash from the server certs which 'point'
> to the CA
> cert files on disk, like OpenSSL already does. Well, we talked about
> that in
> the past and you pointed me to p11kit... but in fact, I so far do not
> have a 'big picture' - the p11kit docs are mostly technical details,
> understandable explanation what 's it all about.
I just realized, do you really need all of that? You can cache
verification outputs and that would be much more performant than any
optimization we discussed. You could for example save the
certificate/hostname pair once verified for limited time and rely on
that verification result instead. Pretty much similar to the trust on
first use, but here you will only be adding to the trusted store once
successfully verified, and for limited time.
More information about the Gnutls-devel