Re: X509_CRL_verify

Mon, 14 Oct 2002 22:50:01 -0700 

In message <45FCD7CD775DD411B4C100508B691BBB04B61F5D@WARE-MAIL> on Tue, 15 Oct 2002 
07:53:14 +0200, Alon Philosoph <[EMAIL PROTECTED]> said:

AlonP> I am using apache_1.3.24 with mod_ssl-2.8.8-1.3.24 and openssl-engine-
AlonP> 0.9.6g.
AlonP>  
AlonP> When I configure apache to work in SSL with client
AlonP> authentication and a crl that consist of 50,000 revoked certs I
AlonP> get very poor number of transactions per second.
AlonP> when I looked at the code I have noticed that the function
AlonP> X509_CRL_verify takes a big amount of time to complete.

But it's not X509_CLR_verify that you're complaining about, it's
check_crl and the way things are handled in X509_verify_cert, right?

AlonP> Why do we need to check the crl signature for every client?
AlonP>  
AlonP> The client certificate was already checked to be valid and the
AlonP> crl validity was checked by the server administrator.

Where was the client certificate already checked, and compared to
where?

That the CRL validity was already checked by the admin is irrelevant.
The programs that use the CRL have the responsability to check that
things are consistent, so verifying the signature at all is a good
thing.

Perhaps we should ponder marking the certs and CRLs OpenSSL has in
memory with some bit saying they have already been verified.  The only
trouble I can see with that is that it would be extremely easy for a
malicious hack to tweak those bits, and therefore circumvent all
security, so such a change would need som hard thinking.

AlonP> so what is the purpose of this function?

The purpose of X509_CRL_verify is to verify the signature of a given
CRL, no more, no less.

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to