Hoi Hans, JJK, On 26-04-19 17:59, Jan Just Keijser wrote: > On 26/04/19 17:08, j.witvl...@mindef.nl wrote: >> With the “ca” parameter, you should provide the full trust-chain of >> the ca’s and sub0ca that signed the used certificate. >> >> And, as far as I can remember, you can concatenate multiple >> (pem-formatted) chains into one file. >> > correct , at least for the openssl-linked version of OpenVPN
The same goes for mbedtls. >> Is there a limit on the length, or on the number of certificates, or >> on the number of trust-chains ? >> > not really, AFAIK. I'd have to look through the OpenSSL source code to > see if there is an actual limit For mbedtls, there's no artificial limit. As long as the file size can be malloc'd and the entire parsed chain fits into RAM, mbedtls won't complain. I didn't look into OpenSSL, but I don't expect it to have a limit either. You should probably realize though that the entire chain is traversed until a match is found for each connecting client. So creating a (really?) long list of certificates will decrease connection setup performance. To optimize the happy flow, you could put the most-used CA is at the start of the file. >> I currently have 22 CA-certificates yielding a file of 46K. Is that >> too much ?? >> > 46 K should be fine. However, you can try to reduce it by only including > the BEGIN CERTIFICATE/END CERTIFICATE blobs, the rest is fluff. Most > certificate blobs are about 1.5 KB in size, so you might be able to > reduce it to about 33 KB True, but this only has influence on startup time and SIGUSR1/SIGHUP restarts. Both openssl and mbedtls parse the file once on load, and only keep the parsed representation in memory. The size of the parsed information does not depend on "fluff" in the ca file, only on the actual certificates in it. That said, I don't expect 22 CAs will incur a noticeable performance hit on a modern server/desktop CPU. It might make a difference if you're running openvpn on a slow embedded CPU though. -Steffan _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
