On Mon, Mar 21, 2005, Victor Duchovni wrote: > On Mon, Mar 21, 2005 at 05:41:56PM +0100, Dr. Stephen Henson wrote: > > > > In my server cache I have: 1900 entries occupying 2.4MBytes (in a btree > > > totaling 7MB on disk) with an average size of 1300 bytes per entry > > > (key + value). 977 of these entries are a mere 327 bytes long (no client > > > cert), the rest of the sessions are 2.4k in average size and occupy 90% > > > of the space. The vast majority of the client certs are unverified > > > and waste space. Reducing resource requirements makes a server more > > > DoS resistant. I think the feature I am looking for, a function that > > > clears and frees the peer certificate from a session, is cheap enough > > > to warrant implementation. > > > > > > > I'm curious as to what purpose these unverified certificates serve? If they > > aren't used in any way why are they requested in the first place? > > > > I request client certificates because I need to authenticate a small > number of clients (currently 1). When I ask for client certificates, all > clients that have a client certificate (often self-signed) volunteer their > certificates during the handshake. I don't need them, but I get them. >
Can't you change it so the server only requests a certificate when either the user requests expanded priveleges or attempts a privileged action? Then if an invalid certificate is given it would be rejected. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
