Hi,
I've found out that default lookup method X509_LOOKUP_hash_dir caches
certificates and CRLs very aggressively.
Really, it uses X509_load_cert_file and X509_load_crl_file from
X509_LOOKUP_file method, which always put object into memory cache, and
never frees anything from this cache.
From some previous discussions in this mailing list, I've got an
impression, that main difference between hash_dir and file lookup method
is that hash_dir doesn't keep all CA data (certificates and CRLs) in the
memory, but loads them from disk on demand.
There are two main reasons to spend CPU cycles for loading CRLs from
disk each time:
1. CRLs of big public CAs can be quite big - up to tens of megabytes.
2. For some server applications SSL_CTX and associated X509_STORE can
live long enough, and CRL loaded on startup can be superceeded by newly
issued CRL.
Some applications, such as stunnel use cache field in X509_STORE struct
for this very reason - disable memory caching of CRLs.
But this doesn't work, because cache field is never used. Only reference
to this field in the OpenSSL code is its initialization in
X509_STORE_new (I've checked both 0.9.8 and 1.0.0 beta code).
Should be it considered a bug, a missing functionality or should cache
field be removed from X509_STORE to avoid confusion of application
authors?
BTW, it seems that most applications which actualy use CRLs, such as
Apache, openvpn and stunnel, do implement lookup of certicate in the CRL
in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE.
Regards, Victor
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
