RE: CRL Checking Uses Excessive Memory

2006-10-11 Thread pbains

I am working on a DoD project, and we are experiencing high CPU load on HP-UX
servers with multiple CPUs in this scenario. We are thinking it is because
the CRL size for some CAs is huge - ad-hoc tests done with certs associated
with small CRLs do not produce CPU spikes, but large CRLs do. We are running
an older version of Apache and the mod_ssl package without OCSP support, but
have just installed an updated Apache with mod_ssl and OCSP support. Anyone
using this, and if so, have any luck with it? Thanks in advance!

Paul


Victor, Dwight P CTR DISA PAC wrote:
 
 Hi Rob,
 
 I also work for the DoD and am using the same CRLs as you (downloaded and
 converted on a daily basis).  We're running a Linux webserver with a
 single
 1.8Ghz Celeron, 512MB of RAM, and 1GB of swap.
 
 I haven't noticed any memory issues when checking CRLs.
 
 My Apache server starts multiple child servers.  It looks like the child
 servers hit around 60MB of memory usage (max) when processing CRL checks;
 500KB to 1MB seems to be the average child server's memory usage when
 idle.
 
 top says my current load average is about 0.03, 0.01, 0.00.  When checking
 CRLs, top says my load average zooms up to around 0.20, 0.05, 0.01.
 
 Of course, my userbase is very small and we aren't doing a ton of CRL
 checks.
 
 OCSP should resolve your issue with plowing through the CRLs, however, I
 have yet to find a viable OCSP solution.  There was a patch for mod_ssl,
 but
 I haven't heard anything about it since it was last released in 2004. 
 Maybe
 someone else on this list knows?
 
 Rob, why don't you email me offline.  I'm in the DISA GAL, if you can get
 to
 that.
 
 Dwight...
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Walls Rob W Contr 75
 CS/SCBS
 Sent: Friday, April 21, 2006 10:47 AM
 To: 'modssl-users@modssl.org'
 Subject: CRL Checking Uses Excessive Memory
 
 
 I work for the DoD. We have about a dozen CA's with their own CRL files.
 Some of these are over 20M in size. When CRL checking is enabled in Apache
 (for Linux or Windows), memory use is excessive and httpd processes are
 killed by the OS (Linux) due to out of memory conditions and all the
 memory
 swapping activity sends the proc utilization way up there and makes the
 server unresponsive. On Windows the CPU use just pegs at 100% (I have no
 idea what else is going on in there).
 CRL's are downloaded every day and openssl is used to make hash'd file
 names
 (ssl.conf is using  SSLCARevocationPath). I don't currently restart apache
 after retrieving the new CRL files.
 The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
 great, but as soon as CRLs are checked, apache starts to go south! I have
 a
 2Gb swap partition and have added another 2Gb swap file to at least keep
 things running, but it becomes so slow it might as well crash.
 Each httpd process goes from using about 14Mb of memory when not CRL
 checking to 250Mb when CRL checking is enabled!
 BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
 machine.
 
 Any ideas on how to use large CRL's in Apache? 
 
 Do I just need more memory?
 
 If Apache can't use many large CRL files, would an OSCP solution side-step
 these problems? Any good ones out there?
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]
 
 

-- 
View this message in context: 
http://www.nabble.com/CRL-Checking-Uses-Excessive-Memory-tf1488925.html#a6764331
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


CRL Checking Uses Excessive Memory

2006-04-21 Thread Walls Rob W Contr 75 CS/SCBS
I work for the DoD. We have about a dozen CA's with their own CRL files.
Some of these are over 20M in size. When CRL checking is enabled in Apache
(for Linux or Windows), memory use is excessive and httpd processes are
killed by the OS (Linux) due to out of memory conditions and all the memory
swapping activity sends the proc utilization way up there and makes the
server unresponsive. On Windows the CPU use just pegs at 100% (I have no
idea what else is going on in there).
CRL's are downloaded every day and openssl is used to make hash'd file names
(ssl.conf is using  SSLCARevocationPath). I don't currently restart apache
after retrieving the new CRL files.
The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
great, but as soon as CRLs are checked, apache starts to go south! I have a
2Gb swap partition and have added another 2Gb swap file to at least keep
things running, but it becomes so slow it might as well crash.
Each httpd process goes from using about 14Mb of memory when not CRL
checking to 250Mb when CRL checking is enabled!
BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
machine.

Any ideas on how to use large CRL's in Apache? 

Do I just need more memory?

If Apache can't use many large CRL files, would an OSCP solution side-step
these problems? Any good ones out there?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: CRL Checking Uses Excessive Memory

2006-04-21 Thread Phil Ehrens
I think the first thing you need to do is connect to this URL
from someplace that doesn't have any certs related to you
installed, like your local library:

https://www.hill.af.mil/main/index.html

I am not trying to be funny, I am just worried that either you
are going to get yourself into trouble by exposing configuration
info about .mil computers, or somebody else is going to get into
trouble while trying to help you.

Phil

Walls Rob W Contr 75 CS/SCBS wrote:
 I work for the DoD. We have about a dozen CA's with their own CRL files.
 Some of these are over 20M in size. When CRL checking is enabled in Apache
 (for Linux or Windows), memory use is excessive and httpd processes are
 killed by the OS (Linux) due to out of memory conditions and all the memory
 swapping activity sends the proc utilization way up there and makes the
 server unresponsive. On Windows the CPU use just pegs at 100% (I have no
 idea what else is going on in there).
 CRL's are downloaded every day and openssl is used to make hash'd file names
 (ssl.conf is using  SSLCARevocationPath). I don't currently restart apache
 after retrieving the new CRL files.
 The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
 great, but as soon as CRLs are checked, apache starts to go south! I have a
 2Gb swap partition and have added another 2Gb swap file to at least keep
 things running, but it becomes so slow it might as well crash.
 Each httpd process goes from using about 14Mb of memory when not CRL
 checking to 250Mb when CRL checking is enabled!
 BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
 machine.
 
 Any ideas on how to use large CRL's in Apache? 
 
 Do I just need more memory?
 
 If Apache can't use many large CRL files, would an OSCP solution side-step
 these problems? Any good ones out there?
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]

-- 
Phil Ehrens [EMAIL PROTECTED]| Fun stuff:
The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org
California Institute of Technology| http://www.yellow5.com
1200 East California Blvd.| http://www.tokyotosho.com
Pasadena, CA 91125 USA| My gpg public key:
Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


RE: CRL Checking Uses Excessive Memory

2006-04-21 Thread Victor, Dwight P CTR DISA PAC
Hi Phil,

As far as I know, nothing that Rob mentioned is classified...especially
since he is not naming systems by name or address.  The fact that the DoD
uses certificates is no secret...there's been many writeups in the various
trade magazines regarding the DoD's push to PKI.

Dwight...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phil Ehrens
Sent: Friday, April 21, 2006 11:11 AM
To: modssl-users@modssl.org
Subject: Re: CRL Checking Uses Excessive Memory


I think the first thing you need to do is connect to this URL
from someplace that doesn't have any certs related to you
installed, like your local library:

https://www.hill.af.mil/main/index.html

I am not trying to be funny, I am just worried that either you
are going to get yourself into trouble by exposing configuration
info about .mil computers, or somebody else is going to get into
trouble while trying to help you.

Phil

Walls Rob W Contr 75 CS/SCBS wrote:
 I work for the DoD. We have about a dozen CA's with their own CRL files.
 Some of these are over 20M in size. When CRL checking is enabled in Apache
 (for Linux or Windows), memory use is excessive and httpd processes are
 killed by the OS (Linux) due to out of memory conditions and all the
memory
 swapping activity sends the proc utilization way up there and makes the
 server unresponsive. On Windows the CPU use just pegs at 100% (I have no
 idea what else is going on in there).
 CRL's are downloaded every day and openssl is used to make hash'd file
names
 (ssl.conf is using  SSLCARevocationPath). I don't currently restart apache
 after retrieving the new CRL files.
 The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
 great, but as soon as CRLs are checked, apache starts to go south! I have
a
 2Gb swap partition and have added another 2Gb swap file to at least keep
 things running, but it becomes so slow it might as well crash.
 Each httpd process goes from using about 14Mb of memory when not CRL
 checking to 250Mb when CRL checking is enabled!
 BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
 machine.
 
 Any ideas on how to use large CRL's in Apache? 
 
 Do I just need more memory?
 
 If Apache can't use many large CRL files, would an OSCP solution side-step
 these problems? Any good ones out there?
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]

-- 
Phil Ehrens [EMAIL PROTECTED]| Fun stuff:
The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org
California Institute of Technology| http://www.yellow5.com
1200 East California Blvd.| http://www.tokyotosho.com
Pasadena, CA 91125 USA| My gpg public key:
Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


RE: CRL Checking Uses Excessive Memory

2006-04-21 Thread Victor, Dwight P CTR DISA PAC
Hi Rob,

I also work for the DoD and am using the same CRLs as you (downloaded and
converted on a daily basis).  We're running a Linux webserver with a single
1.8Ghz Celeron, 512MB of RAM, and 1GB of swap.

I haven't noticed any memory issues when checking CRLs.

My Apache server starts multiple child servers.  It looks like the child
servers hit around 60MB of memory usage (max) when processing CRL checks;
500KB to 1MB seems to be the average child server's memory usage when idle.

top says my current load average is about 0.03, 0.01, 0.00.  When checking
CRLs, top says my load average zooms up to around 0.20, 0.05, 0.01.

Of course, my userbase is very small and we aren't doing a ton of CRL
checks.

OCSP should resolve your issue with plowing through the CRLs, however, I
have yet to find a viable OCSP solution.  There was a patch for mod_ssl, but
I haven't heard anything about it since it was last released in 2004.  Maybe
someone else on this list knows?

Rob, why don't you email me offline.  I'm in the DISA GAL, if you can get to
that.

Dwight...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Walls Rob W Contr 75
CS/SCBS
Sent: Friday, April 21, 2006 10:47 AM
To: 'modssl-users@modssl.org'
Subject: CRL Checking Uses Excessive Memory


I work for the DoD. We have about a dozen CA's with their own CRL files.
Some of these are over 20M in size. When CRL checking is enabled in Apache
(for Linux or Windows), memory use is excessive and httpd processes are
killed by the OS (Linux) due to out of memory conditions and all the memory
swapping activity sends the proc utilization way up there and makes the
server unresponsive. On Windows the CPU use just pegs at 100% (I have no
idea what else is going on in there).
CRL's are downloaded every day and openssl is used to make hash'd file names
(ssl.conf is using  SSLCARevocationPath). I don't currently restart apache
after retrieving the new CRL files.
The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
great, but as soon as CRLs are checked, apache starts to go south! I have a
2Gb swap partition and have added another 2Gb swap file to at least keep
things running, but it becomes so slow it might as well crash.
Each httpd process goes from using about 14Mb of memory when not CRL
checking to 250Mb when CRL checking is enabled!
BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
machine.

Any ideas on how to use large CRL's in Apache? 

Do I just need more memory?

If Apache can't use many large CRL files, would an OSCP solution side-step
these problems? Any good ones out there?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]