Re: CA DB Support
Massimiliano Pala [EMAIL PROTECTED] writes: I was discussing with some people from the OpenCA project and we do think that a DB support (like Berkeley DB, NDBM, GDBM) should be added to the ca application to store certificates' information and assure scalability. What do you know about openssl ca's scalability ? How many certificates currently supports ?? I haven't tested. I'd guess index.txt would cause some things to slow performance (but possibly not---I'm assuming there are linear searches around). The public keys seem to be kept in separate files in a directory: however they get used, that's going to cause some prblems on some filesystems. However, I'd guess the current design is probably fine for, say, 1 certificates. Specific applications might find the scalability a problem, but for most purposes it's fine. -- Bruce Stephens [EMAIL PROTECTED] MessagingDirect(UK) Ltd URL:http://www.MessagingDirect.com/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Server Gated Cryptography
Hello! Does OpenSSL support Server Gated Cryptography (SGC)? Thanks in advance. Regards Yuriy Stul mailto:[EMAIL PROTECTED] http://www.tashilon.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Macintosh Builds
I have seen that some of the files include macsocket.h. Where can I get the version that the author intended? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CA DB Support
but our question is about 5/10 Millions of certificates. You might look at what typical (traditional?) Usenet implementations do... __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA DB Support
Massimiliano Pala wrote: Bruce Stephens wrote: I haven't tested. I'd guess index.txt would cause some things to slow performance (but possibly not---I'm assuming there are linear searches around). The public keys seem to be kept in separate files in a directory: however they get used, that's going to cause some prblems on some filesystems. However, I'd guess the current design is probably fine for, say, 1 certificates. Specific applications might find the scalability a problem, but for most purposes it's fine. I have tested it with 500.000 certificates and gave me no problems, but our question is about 5/10 Millions of certificates. What about file system capabilities (let's say for UNiX systems like Linux/SunOS/FreeBSD/ etc... ) ??? Someone has ever got to think about similar problems ??? index.txt is stored in an in memory database: the extended memory requirements may cause problems if huge numbers of certificates used. When the database is changed the whole thing is written to disk: again potential problems of corruption. Additional problems can arise if you store copies of certificates in the same directory: a few million files in a directory is not advisable! 'ca' was not initially meant to be used for a full blown CA it was just a demo. I've often considered using some kind of database for certificates. One problem is getting something that compiles on all platforms. In the longer term it might be better if things like req, ca, x509 functionality was exposed to something like perl which could make things a bit friendlier. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA DB Support
Bruce Stephens wrote: Massimiliano Pala [EMAIL PROTECTED] writes: I was discussing with some people from the OpenCA project and we do think that a DB support (like Berkeley DB, NDBM, GDBM) should be However, I'd guess the current design is probably fine for, say, 1 certificates. Specific applications might find the scalability a problem, but for most purposes it's fine. Depends on how you're using it. IMHO the main performance-related issue is the client access: searching for certificates (by any attributes like CN, Email etc.), loading of certificates, doing on-line verification etc. Well, you can keep that away from OpenSSL's index.txt by storing the certs on a LDAP server like OpenLDAP which is optimized for such kind of stuff. You might wanna use a HTTP/LDAP gateway for providing the cert data via HTTP to clients not capable of LDAP (e.g. use my package web2ldap found on http://sites.inka.de/ms/python/web2ldap/). Currently I'm thinking about stripping down my package web2ldap for doing exactly this job. Ciao, Michael. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Server Gated Cryptography
Yuriy Stul wrote: Does OpenSSL support Server Gated Cryptography (SGC)? You might wanna go to http://www.modssl.org/ and read the README.GlobalID. Ciao, Michael. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA DB Support
Dr Stephen Henson wrote: I've often considered using some kind of database for certificates. One problem is getting something that compiles on all platforms. We could get cooperation from the OpenLDAP people as they had to do it and I think they done a very good job. However I could say we can take in charge to add this functionality to OpenSSL/ca program (if you say it will be added to the project) or distribute something in parallel in our own package. I know the ca app was not meant to fully run a ca but as you might think our project is strictly related to the OpenSSL layer and the ca app could be a very useful link (so we do not have to distribute patches to OpenSSL instead we could use it as it was compiled by the user) between our web- based interface and the crypto layer. What do you think about it ??? C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Macintosh Builds
I have seen that some of the files include macsocket.h. Where can I get the version that the author intended? I'm the author, and I can send you them if you wish. I take it they're not in the current snapshot tree? -Roy __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
From: Dr Stephen Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: Ziacek Martin [EMAIL PROTECTED] To: "'[EMAIL PROTECTED] '" [EMAIL PROTECTED] Remember that messages to openssl-bugs usually come from people who are not subscribed to openssl-dev, and without Cc's to them they won't be able to read the replies. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
When I connect to sites signed by RSA's Cert authority (using s_client) = I get this: verify error:num=3D20:unable to get local issuer certificate verify error:num=3D21:unable to verify the first certificate Do you have the RSA CA certificate in a location that OpenSSL can find it? On windows, you need to specify the location of the file containing the root certificates. Using the default verify paths is not enough since the specified defaults are applicable to Unix and not to windows. http://www.e-softinc.com/cacerts.txt contains certificates for most of the well known CAs including the RSA CA. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]