Hi, I've found out that default lookup method X509_LOOKUP_hash_dir caches certificates and CRLs very aggressively.
Really, it uses X509_load_cert_file and X509_load_crl_file from X509_LOOKUP_file method, which always put object into memory cache, and never frees anything from this cache. From some previous discussions in this mailing list, I've got an impression, that main difference between hash_dir and file lookup method is that hash_dir doesn't keep all CA data (certificates and CRLs) in the memory, but loads them from disk on demand. There are two main reasons to spend CPU cycles for loading CRLs from disk each time: 1. CRLs of big public CAs can be quite big - up to tens of megabytes. 2. For some server applications SSL_CTX and associated X509_STORE can live long enough, and CRL loaded on startup can be superceeded by newly issued CRL. Some applications, such as stunnel use cache field in X509_STORE struct for this very reason - disable memory caching of CRLs. But this doesn't work, because cache field is never used. Only reference to this field in the OpenSSL code is its initialization in X509_STORE_new (I've checked both 0.9.8 and 1.0.0 beta code). Should be it considered a bug, a missing functionality or should cache field be removed from X509_STORE to avoid confusion of application authors? BTW, it seems that most applications which actualy use CRLs, such as Apache, openvpn and stunnel, do implement lookup of certicate in the CRL in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE. Regards, Victor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org