On Mon, Mar 21, 2005 at 05:41:56PM +0100, Dr. Stephen Henson wrote:
> > In my server cache I have: 1900 entries occupying 2.4MBytes (in a btree
> > totaling 7MB on disk) with an average size of 1300 bytes per entry
> > (key + value). 977 of these entries are a mere 327 bytes long (no client
> > cert), the rest of the sessions are 2.4k in average size and occupy 90%
> > of the space. The vast majority of the client certs are unverified
> > and waste space. Reducing resource requirements makes a server more
> > DoS resistant. I think the feature I am looking for, a function that
> > clears and frees the peer certificate from a session, is cheap enough
> > to warrant implementation.
> >
>
> I'm curious as to what purpose these unverified certificates serve? If they
> aren't used in any way why are they requested in the first place?
>
I request client certificates because I need to authenticate a small
number of clients (currently 1). When I ask for client certificates, all
clients that have a client certificate (often self-signed) volunteer their
certificates during the handshake. I don't need them, but I get them.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
