On Tue, Oct 13, 2009, Victor B. Wagner wrote: > --- x509_lu.c.orig 2009-10-13 17:23:48.000000000 +0400 > +++ x509_lu.c 2009-10-13 17:24:15.000000000 +0400 > @@ -290,7 +290,7 @@ > > tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); > > - if (tmp == NULL || type == X509_LU_CRL) > + if (!cache || tmp == NULL || type == X509_LU_CRL) > { > for > (i=vs->current_method; > > i<sk_X509_LOOKUP_num(ctx->get_cert_methods); > > i++) > > { > > This solution has drawback that it doesn't save memory used by cache, > but it would make X509_STORE repeat search in the hashed directory each > time if cache is disabled. > > And it still allow examining cache for additional matches. after search > > I've now noticed that three years ago you've already commited fix > that makes search for CRLs each time. >
There is some additional logic for CRLs though. In by_dir.c it stores the last suffix value of a CRL so if you have CRL links: 12345678.r0 12345678.r1 12345678.r2 12345678.r3 It notes that "r3" is the last CRL looked up if now a new one is added: 12345678.r4 it only looks for r4 and doesn't reload all the (potentially large) previous CRLs. The logic is that CRLs change far more regularly than certificates. Though in certificates the likelihood of matching hash values is far less. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org