On Mon, Mar 21, 2005 at 09:43:06AM +0100, Lutz Jaenicke wrote:
> Note: I did not see any other request for such a change of behaviour,
> so I do not think that an option to either save the peer certificate
> (or not) within the session will be implemented in a later OpenSSL release.
>
I am asking for something subtly different. An option to discard the
peer certificate from the session (regardless of whether I am about
to save it to an external cache). Few enough people use client certs,
and few enough of those implement long-lived server caches, and of
these few enough delve into performance tuning, that I may well be
the only one who asks. This does not mean the need is not there :-)
In my server cache I have: 1900 entries occupying 2.4MBytes (in a btree
totaling 7MB on disk) with an average size of 1300 bytes per entry
(key + value). 977 of these entries are a mere 327 bytes long (no client
cert), the rest of the sessions are 2.4k in average size and occupy 90%
of the space. The vast majority of the client certs are unverified
and waste space. Reducing resource requirements makes a server more
DoS resistant. I think the feature I am looking for, a function that
clears and frees the peer certificate from a session, is cheap enough
to warrant implementation.
void SSL_SESSION_reset_peer(SSL_SESSION *session);
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
