Hello OpenVPN community,

this is my first contribution (attempt) to the OpenVPN project.
Please be gentle ;)

With this small patchset I am introducing a simple logic that
reduces the overall client connection time when the CRL file is quite big.

Basically it consists in pre-loading the CRL file and storing it in the
OpenVPN context, so that it can be later re-used for faster lookups.

The connection delay in my tests has dropped significantly (I am using a 143MB
large CRL file having around 5 million entries).
Basically the delay (about 5 seconds on average) is moved from "every" client
connection event to the instance bootup (or file reload).

This new behaviour can be enabled by specifying "--crl-persist" after the
"--crl-file" option.

As of now, the CRL is updated only upon SIGHUP. Later this could be improved
by hooking the update to another signal (i.e. SIGUSR2), or when stat() would
detect a file update or even hook into inotify.

Patch 1 introduces the general logic in the openvpn code, like the new config
option and the hooks to the crypto modules.

Patch 2 implements the related functions in the mbedTLS module.

Patch 3 implements the related functions in the OpenSSL module.

(Please check the specific patch commit messages for more details).

Please, have a look at my style and the way I used the various data structures.
Being this my first time into the OpenVPN code base, I may have misused
some objects like "c1" and similar..

Comments are welcome!


Antonio Quartulli (3):
  openvpn: implement crl-persist logic
  mbedtls: implement crl-persist related functions
  openssl: implement crl-persist related functions

 src/openvpn/init.c               |   7 ++
 src/openvpn/openvpn.h            |   6 ++
 src/openvpn/options.c            |  21 +++++
 src/openvpn/ssl_common.h         |  23 ++++-
 src/openvpn/ssl_verify.c         |   5 ++
 src/openvpn/ssl_verify_backend.h |  31 +++++++
 src/openvpn/ssl_verify_mbedtls.c | 102 ++++++++++++++++++----
 src/openvpn/ssl_verify_openssl.c | 183 +++++++++++++++++++++++++++++++++++++++
 8 files changed, 355 insertions(+), 23 deletions(-)


Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to