I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and httpd processes are killed by the OS (Linux) due to out of memory conditions and all the memory swapping activity sends the proc utilization way up there and makes the server unresponsive. On Windows the CPU use just pegs at 100% (I have no idea what else is going on in there). CRL's are downloaded every day and openssl is used to make hash'd file names (ssl.conf is using SSLCARevocationPath). I don't currently restart apache after retrieving the new CRL files. The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works great, but as soon as CRLs are checked, apache starts to go south! I have a 2Gb swap partition and have added another 2Gb swap file to at least keep things running, but it becomes so slow it might as well crash. Each httpd process goes from using about 14Mb of memory when not CRL checking to 250Mb when CRL checking is enabled! BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that machine.
Any ideas on how to use large CRL's in Apache? Do I just need more memory? If Apache can't use many large CRL files, would an OSCP solution side-step these problems? Any good ones out there? ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
