Re: Is it worth accepting multiple CRLs?

Hello.

At Sat, 15 Aug 2020 13:18:22 -0400, Stephen Frost <sfrost(at)snowman(dot)net> wrote in
> > Looking closer I realized that certificates are verified in each
> > backend so CRL cache doesn't work at all for the hashed directory
> > method. Therefore, all CRL files relevant to a certificate to be
> > verfied are loaded every time a backend starts.
> >
> > The only advantage of this is avoiding irrelevant CRLs from being
> > loaded in exchange of loading relevant CRLs at every session
> > start. Session startup gets slower by many delta CRLs from the same
> > CA.
> >
> > Seems far from promising.
>
> I agree that it's not ideal, but I don't know that this is a reason to
> not move forward with this feature..?

Since one of the significant advantage of the directory method is
differential loading of new CRLs. But actually it has other advanges
like easier file handling and not needing server reload.

> We could certainly have a later patch which improves this in some way
> (though exactly how isn't clear... if we move the CRL loading into
> postmaster then we'd have to load *all* of them, and then we'd still
> need to check if they've changed since we loaded them, and presumably
> have some way to signal the postmaster to update its set from time to
> time..), but that can be a future effort.
>
> I took a quick look through the patch and it seemed pretty straight
> forward to me and a good improvement.
>
> Would love to hear other thoughts. I hope you'll submit this for the
> September CF and ping me when you do and I'll see if I can get it
> committed.

Thank you very much. I'll do that after some polishing.

A near-by discussion about OpenSSL3.0 conflicts with this but it's
easy to follow.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center