Re: (ITS#7388) [PATCH] MozNSS: ignore certdb 'sql:' prefix when checking directory existence

[jvcelak@redhat.com]

Hello Howard, 

> The patch looks syntactically correct. But SQL, seriously? As if TLS
> handshakes weren't slow enough already, you want to slow them down
> even
> further by looking up certs in an SQL database?

this is nothing new. Mozilla NSS supports SQL backend (SQLite) for
storing certificates since 3.12 (== Firefox 3) I think. The reason, why
the new format was introduced is mainly because of problems with accesing
the database from multiple processes. It is described on the following
page in a great detail: https://wiki.mozilla.org/NSS_Shared_DB

I can't tell anything about the performance because I haven't tried.

> Aside from questioning the wisdom of such an inefficient approach,
> there are
> other philosophical problems with this patch. It seems to be just the
> latest
> in a continuing stream of one-off patches. Are we going to get yet
> another
> special case patch from you guys when some other new certDB type
> comes along?

One Fedora user e-mailed me recently and wanted my help with setting
the OpenLDAP server to use the database in "new" sql format. This patch
is the result.

I do not think that any other backend except the legacy and this one
is supported. Otherwise, I would write the patch more generally. I will
check with MozNSS people and let you know.

> This approach is unmaintainable and does nothing to inspire
> confidence in the
> quality of thinking going into this code.
> 
> You're working on a security library. We expect a lot better thought
> to go
> into these things.

I fully understand and expect that you will have some feedback on our
patches - which is happening right now.

MozNSS crypto backend works quite fine, but there are still some
problems in certain corner situations. The backend is not as mature as
OpenSSL one. I'm really trying to fix them all and to make OpenLDAP
a better piece of software.

Jan