[gnutls-devel] Speedup idea...
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Sep 3 10:48:13 CEST 2016
On Fri, 2016-09-02 at 09:50 +0200, Tim Ruehsen wrote:
> > > understandable explanation what 's it all about.
> > I just realized, do you really need all of that? You can cache
> > verification outputs and that would be much more performant than
> > any
> > optimization we discussed. You could for example save the
> > certificate/hostname pair once verified for limited time and rely
> > on
> > that verification result instead. Pretty much similar to the trust
> > on
> > first use, but here you will only be adding to the trusted store
> > once
> > successfully verified, and for limited time.
> Thanks for the suggestion.
>
> Of course I could - but than we have to add that code to any
> application that
> uses GnuTLS. IMO, such a solution is just a temporary work around
> until it is
> 'fixed' in the library.
Well, trust on first use is already supported in the library. If there
are improvements on that API to make it work as a caching layer, I'd be
glad to help with that.
> A bigger solution would be to have a (local) infrastructure
> service/daemon
> that provides these and other kinds of shared information to any
> process.
> Right now every network application has it's own code for caching
> (OCSP, HSTS,
> HPKP, Session data, Cookies, ...) and static data (PSL, HSTS Preload,
> ...).
> Something like a pimped-up DNS :-))
That's certainly interesting. Providing these as an OS service would
certainly help. However, I think we are pretty far from such holistic
solution.
regards,
Nikos
More information about the Gnutls-devel
mailing list