[gnutls-devel] GnuTLS | gnutls_x509_trust_list_add_system_trust() is extremely slow (#1528)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri Feb 16 16:20:59 CET 2024

Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1528

## Description of problem:

gnutls_x509_trust_list_add_system_trust() is surprisingly very slow. [This is causing a performance problem for WebKitGTK.](https://bugs.webkit.org/show_bug.cgi?id=251336#c19)

 * When running outside flatpak, on my computer the first call takes 100-300 milliseconds and all subsequent calls take 1-3 milliseconds. This isn't great as I didn't realize gnutls_x509_trust_list_add_system_trust() would block for a significant amount of time. But I assume it's probably necessary?
* When running under flatpak, on my computer every call takes 100-300 milliseconds. GnuTLS is presumably contacting p11-kit-server every time. This seems like overkill. Would it be possible to cache these results instead so it doesn't happen again and again? Maybe p11-kit-server could notify GnuTLS only when there has been a change?

## Version of gnutls used:


## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Fedora (outside flatpak), freedesktop-sdk (inside flatpak)

## How reproducible:


Steps to Reproduce:

 * Build glib-networking using [this debug patch](https://gitlab.gnome.org/GNOME/gnome-build-meta/-/raw/f7d857743fc9ea57899a31e43e4a44d113325b70/patches/glib-networking/extra-debug.patch)
 * Run `G_MESSAGES_DEBUG=GLib-Net epiphany -p https://cnn.com`

## Actual results:

Many slow calls to gnutls_x509_trust_list_add_system_trust()

## Expected results:

It should be less slow

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1528
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240216/4a5d4909/attachment.html>

More information about the Gnutls-devel mailing list