On Wed, Oct 19, 2016 at 02:22:31PM +0800, Antonio Quartulli wrote:
> Implement the functions needed by the crl-persist logic when openssl
> is enabled. Such functions are used in the ssl_verify module.
> Note that the CRL file is stored in an adhoc data structure and no
> openssl specific object is used. The data structure being used is a
> sorted array or serials that can later be looked up in log(N) with
> a binary search, thus guaranteeing a fast lookup operation.
> Such data structure may be changed in the future with an optimized
> openssl specific object.
> Tests have been performed by using a CRL file having size 143MB.
> Original delay upon client connection was around 5-8 seconds.
> With this patch the delay gets close to 0.
> Signed-off-by: Antonio Quartulli <a...@unstable.cc>

As discussed on IRC, it might be better to first change the CRL handling code in
the OpenSSL module to use the internal routines provided by the OpenSSL library.
(apparently a patch to implement this change is in the work on somebody else's

At that point my patch could be changed to re-use the same code instead of
implementing my own optimized logic.

Note: also OpenSSL uses a sorted array + bsearch for CRL handling, therefore
the performance of OpenSSL vs my approach should be similar.

Does anybody else have any opinion against this?


Antonio Quartulli

Attachment: signature.asc
Description: Digital signature

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to