[gnutls-devel] Speedup idea...

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Sep 3 10:48:13 CEST 2016


On Fri, 2016-09-02 at 09:50 +0200, Tim Ruehsen wrote:

> > > understandable explanation what 's it all about.
> > I just realized, do you really need all of that? You can cache
> > verification outputs and that would be much more performant than
> > any
> > optimization we discussed. You could for example save the
> > certificate/hostname pair once verified for limited time and rely
> > on
> > that verification result instead. Pretty much similar to the trust
> > on
> > first use, but here you will only be adding to the trusted store
> > once
> > successfully verified, and for limited time.
> Thanks for the suggestion.
> 
> Of course I could - but than we have to add that code to any
> application that 
> uses GnuTLS. IMO, such a solution is just a temporary work around
> until it is 
> 'fixed' in the library.

Well, trust on first use is already supported in the library. If there
are improvements on that API to make it work as a caching layer, I'd be
glad to help with that.

> A bigger solution would be to have a (local) infrastructure
> service/daemon 
> that provides these and other kinds of shared information to any
> process. 
> Right now every network application has it's own code for caching
> (OCSP, HSTS, 
> HPKP, Session data, Cookies, ...) and static data (PSL, HSTS Preload,
> ...).
> Something like a pimped-up DNS :-))

That's certainly interesting. Providing these as an OS service would
certainly help. However, I think we are pretty far from such holistic
solution.

regards,
Nikos




More information about the Gnutls-devel mailing list