On 2009-11-18 05:43 PST, David Stutzman wrote: > I've recently had a case where I have a DB with around 6700 certs/keys in > it and a call to get the list of certs takes something like 20 minutes to > complete.
If you're using cert7/key3 DB files, that's a known bug, and probably cannot be fixed. Or rather, the fix is believed to be to go to cert8/key4 on a local file system (not over a network). That should be MUCH faster. See bug 433105 starting at comment 8. > I'm primarily using JSS (specifically the call to > CryptoToken.getCryptoStore().getCertificates()), but the same happens > with certutil on the command line. I've switched from using the old DBM > format to SQLite and it doesn't appear to have changed the behavior > much, if at all. That's surprising. It should have had a huge effect ... unless you're accessing your DBs over a network. See bug 467298. > I'm currently using NSS 3.12.4 (BUILD_OPT=1, NSS_ENABLE_ECC=1, built on > Vista 32bit using mozilla-build). Is there anything I can do to speed > things up at all? Be really sure you're using cert9/key4 and local DBs. > I assume having such a ridiculous number of cert and key pairs in the DB > probably isn't a design goal. Correct. See bug 433105 comment 11 and later. But the performance you're seeing is pathological, a known bug in the design of key3.db that cannot be corrected without redesigning the DB, which is what we did for key4.db. The results for key4 should be MUCH better, unless your system is incorrectly concluding that your DBs are being accessed over a network when they're actually not. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
