On Tue, Oct 13, 2009, Victor B. Wagner wrote:
> --- x509_lu.c.orig 2009-10-13 17:23:48.000000000 +0400
> +++ x509_lu.c 2009-10-13 17:24:15.000000000 +0400
> @@ -290,7 +290,7 @@
>
> tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
>
> - if (tmp == NULL || type == X509_LU_CRL)
> + if (!cache || tmp == NULL || type == X509_LU_CRL)
> {
> for
> (i=vs->current_method;
>
> i<sk_X509_LOOKUP_num(ctx->get_cert_methods);
>
> i++)
>
> {
>
> This solution has drawback that it doesn't save memory used by cache,
> but it would make X509_STORE repeat search in the hashed directory each
> time if cache is disabled.
>
> And it still allow examining cache for additional matches. after search
>
> I've now noticed that three years ago you've already commited fix
> that makes search for CRLs each time.
>
There is some additional logic for CRLs though. In by_dir.c it stores the last
suffix value of a CRL so if you have CRL links:
12345678.r0
12345678.r1
12345678.r2
12345678.r3
It notes that "r3" is the last CRL looked up if now a new one is added:
12345678.r4
it only looks for r4 and doesn't reload all the (potentially large) previous
CRLs. The logic is that CRLs change far more regularly than certificates.
Though in certificates the likelihood of matching hash values is far less.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
