Return-Path: 
 <dev-return-62442-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 73863 invoked from network); 15 Oct 2008 18:49:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 15 Oct 2008 18:49:05 -0000
Received: (qmail 12897 invoked by uid 500); 15 Oct 2008 18:49:03 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 12848 invoked by uid 500); 15 Oct 2008 18:49:02 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Delivered-To: moderator for dev@httpd.apache.org
Received: (qmail 98850 invoked by uid 99); 15 Oct 2008 18:35:59 -0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
X-Virus-Scanned: amavisd-new at xecu.net
Message-ID: <48F637EE.1000809@veridicalsystems.com>
Date: Wed, 15 Oct 2008 14:35:26 -0400
From: Steve Marquess <marquess@veridicalsystems.com>
User-Agent: Thunderbird 2.0.0.16 (X11/20080723)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: CRL verification in mod_ssl
References: <1219952467.10907.39.camel@localhost>
	 <1FBF3973-53E0-4E4D-8A9E-274664923434@webweaving.org>
	 <48F5E887.7000904@openssl.org>
 <128d1ffe0810150908i2acc8171i7de4e6fc32ec4139@mail.gmail.com>
 <48F61CE9.4090900@openssl.org>
In-Reply-To: <48F61CE9.4090900@openssl.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Dr Stephen Henson wrote:

> 
>...
> 
> CRL refresh has some performance issues particularly in multi-process
> servers. For example a CRL might be 500K or more and be reloaded on each
> new connection. OpenSSL 0.9.9 does have some reload support though. If
> CRL processing was delegated to OpenSSL it would be available automatically.

Here's a real world example: I'm supporting an application with hundreds 
of servers deployed worldwide, currently referencing 46 separate CRL 
files totaling 201Mb.  Some of those have TTLs of as little as 18 hours. 
  The largest single CRL file is 30Mb, and of course is the one that is 
referenced the most.

-Steve M.

-- 
Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
301-524-9915 cell
301-831-8447 land/fax
marquess@veridicalsystems.com