httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Marquess <>
Subject Re: CRL verification in mod_ssl
Date Wed, 15 Oct 2008 18:35:26 GMT
Dr Stephen Henson wrote:

> CRL refresh has some performance issues particularly in multi-process
> servers. For example a CRL might be 500K or more and be reloaded on each
> new connection. OpenSSL 0.9.9 does have some reload support though. If
> CRL processing was delegated to OpenSSL it would be available automatically.

Here's a real world example: I'm supporting an application with hundreds 
of servers deployed worldwide, currently referencing 46 separate CRL 
files totaling 201Mb.  Some of those have TTLs of as little as 18 hours. 
  The largest single CRL file is 30Mb, and of course is the one that is 
referenced the most.

-Steve M.

Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
301-524-9915 cell
301-831-8447 land/fax

View raw message