On 6/24/2014 7:58 PM, Jens Maus wrote:
Hello,
this is actually my first post to this list, so please apologize if it might be
too lengthy or too short or might address a question already raised in the past
(which I didn’t find in the list archives so far).
I am an application developer of an email client using openssl to secure POP3
and SMTP connections. Since a while I have also added functionality to check
the server certificates against a certificate bundle file (ca-bundle.crt) which
users can store in the resource bundle of the mail client and the certificate
check mechanism (via OpenSSL’ callback mechanisms) is working fine so far.
The only thing I am currently wondering is if there is a possibility to load
the ca-bundle.crt file in advance and then reuse it between individual SSL
connections. The reason why I am asking this is, that on the systems I am
developing this email client for the SSL_CTX_load_verify_locations() function
easily takes 2 - 3 seconds and AFAIK there is no functionality in OpenSSL to
provide a preloaded certificate bundle to the SSL context structure.
So what my client currently does is (pseudo code):
— cut here —
[…]
conn->ssLCtx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(conn->sslCtx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_load_verify_locations(conn->sslCtx, …);
SSL_CTX_set_default_verify_paths(…);
SSL_CTX_set_verify(conn->sslCtx, …);
SSL_CTX_set_cert_verify_callback(conn->sslCtx, …);
SSL_CTX_set_cipher_list(conn->sslCtx, …);
conn->ssl = SSL_new(conn->sslCtx);
SSL_set_fd(conn->ssl, (int)conn->socket);
SSL_connect(conn->ssl);
[…]
— cut here —
Looking at that execution sequence the SSL_CTX_load_verify_locations() call
easily takes 2 - 3 seconds here either if the ca-bundle file is quite large or
if the system is busy doing other stuff. This is especially critical since
there are unfortunately some mail servers on the net (so-called ‚Nemesis‘ mail
server from gmx.de, web.de and 1und1.de) which have a rather short SSL
negotiation timeout (8 - 10 seconds only) right from the initiating STARTTLS
call until the SSL negotiation have to finished. Otherwise they simply drop the
connection - which IMHO is another problem and another story not to be
discussed here.
So is there some possibility that I can load the ca-bundle.crt file in advance
and simply supply the data to SSL_CTX instead of having to use
SSL_CTX_load_verify_locations() which actually loads the ca-bundle.crt file
from disk every time a new connection (and thus
SSL_CTX_load_verify_locations()) is initiated?
Use SSL_CTX_get_cert_store() directly, this returns the X509_STORE
object, which you can then configure to lookup the CA certificates
from an in-memory structure of your own.
Unfortunately, the X509_STORE object is mostly undocumented, however
it seems you can simply call X509_STORE_add_cert() and
X509_STORE_add_crl() with X509 and X509_CRL objects for each of
the certificates and crls in your in-memory cache.
It seems undocumented if there is sufficient reference counting of
X509/X509_CRL objects to share them (read-only) amongst threads, or if
you will have to duplicate them before adding them to the X509_STORE.
If duplication is needed, the easiest would be to hold the ca-bundle
in memory as a single large (read only) byte array, then for each new
SSL session, loop over d2i_X509() until you reach the end of your array
or it fails. Use a second array for the concatenated CRLs. Note that
the arrays should be in DER format, not PEM format.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
