Dr Stephen Henson wrote:
... CRL refresh has some performance issues particularly in multi-process servers. For example a CRL might be 500K or more and be reloaded on each new connection. OpenSSL 0.9.9 does have some reload support though. If CRL processing was delegated to OpenSSL it would be available automatically.
Here's a real world example: I'm supporting an application with hundreds of servers deployed worldwide, currently referencing 46 separate CRL files totaling 201Mb. Some of those have TTLs of as little as 18 hours. The largest single CRL file is 30Mb, and of course is the one that is referenced the most.
-Steve M. -- Steve Marquess Veridical Systems, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 301-524-9915 cell 301-831-8447 land/fax [EMAIL PROTECTED]
