Hi Dave,
Thank you very much for the detailed reply.
Following is the code I used at server side program.
while (1) {
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, clientserver[1]);
if (SSL_accept(ssl) != 1)
break;
result.handshakes++;
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN);
* SSL_free(ssl);*
}
This is the server loop I used to handle the requests from the client.
Where ctx is configures ad follows:
*SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_client_certificate);*
/* Set the verification depth */
SSL_CTX_set_verify_depth(ctx, VERIFICATION_DEPTH);
I had to also include following code:
int verify_client_certificate(int ok, X509_STORE_CTX* store) {
char data[255];
if (!ok) {
X509* cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
printf("Error with certificate at depth: %d!\n", depth);
X509_NAME_oneline(X509_get_issuer_name(cert), data, 255);
printf("\tIssuer: %s\n", data);
X509_NAME_oneline(X509_get_subject_name(cert), data, 255);
printf("\tSubject: %s\n", data);
printf("\tError %d: %s\n", err, X509_verify_cert_error_string(err));
}
return ok;
}
To clarify,
1. server does uses Openssl.
2. Full handshakes are done.
3. SSL object is created and feed for each handshake.
Therefore, ideally, session should not be cached. Since I am trying to
create a new ssl object. There is similar counter code at client side. Do
you see my conclusions right?
On Fri, Jun 29, 2012 at 11:10 PM, Dave Thompson <[email protected]>wrote:
> >From: [email protected] On Behalf Of Sukalp Bhople
> >Sent: Friday, 29 June, 2012 15:30
>
> >I am trying to measure server performance for client certificate
> verification.
>
> >However, there is no significant difference in the server performance
> >when I send one certificate and condition when I send chain of 10
> certificates.
>
> I assume this is really a chain, i.e. the client cert depends on all
> the chain certs on the way to a root. If you send certs that aren't
> needed, OpenSSL will ignore them and they have no effect except using
> some network bandwidth (and transmission time, but in today's Internet
> transmission time for a cert of 1kbyte or so is almost zero).
>
> >I am aware that certificate verification is a public key operation.
> >But shouldn't it make some difference? is there any cashing mechanism
> >or something else?
>
> I assume (you are certain) the server uses OpenSSL, otherwise
> this is not the right place to ask.
>
> There may be caching of the certs in memory depending on whether
> the server uses CAfile, CApath, or a custom X509_LOOKUP; this could
> save I/O time. When last I read the code, unless it's modified,
> there is no caching of trust, and the verification is re-done.
>
> If you are using RSA authentication (certs), and depending on
> whether you are using RSA key-exchange or DHE or ECDHE, it wouldn't
> surprise me if the other operations that occur during a handshake
> are 100s or 1000s times more expensive than the cert verification(s),
> which would make effect of the cert verification(s) hard to measure
> externally (without a high-res clock inserted into the server code).
>
> Also, are you sure you are doing full handshakes? OpenSSL server
> can cache sessions*, and if you are testing with a single client
> that also does so (Java for example does by default) then both
> server and client auth are bypassed. (The session parameters
> are a temporary shared secret, which is supposedly sufficient.)
> (* OpenSSL since a long time does traditional session caching.
> Recent versions also do RFC-4507 tickets, but I haven't seen
> clients using those yet.)
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
>
--
Regards,
*Sukalp Bhople.*
