Hello, this is actually my first post to this list, so please apologize if it might be too lengthy or too short or might address a question already raised in the past (which I didn’t find in the list archives so far).
I am an application developer of an email client using openssl to secure POP3 and SMTP connections. Since a while I have also added functionality to check the server certificates against a certificate bundle file (ca-bundle.crt) which users can store in the resource bundle of the mail client and the certificate check mechanism (via OpenSSL’ callback mechanisms) is working fine so far. The only thing I am currently wondering is if there is a possibility to load the ca-bundle.crt file in advance and then reuse it between individual SSL connections. The reason why I am asking this is, that on the systems I am developing this email client for the SSL_CTX_load_verify_locations() function easily takes 2 - 3 seconds and AFAIK there is no functionality in OpenSSL to provide a preloaded certificate bundle to the SSL context structure. So what my client currently does is (pseudo code): — cut here — […] conn->ssLCtx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(conn->sslCtx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_load_verify_locations(conn->sslCtx, …); SSL_CTX_set_default_verify_paths(…); SSL_CTX_set_verify(conn->sslCtx, …); SSL_CTX_set_cert_verify_callback(conn->sslCtx, …); SSL_CTX_set_cipher_list(conn->sslCtx, …); conn->ssl = SSL_new(conn->sslCtx); SSL_set_fd(conn->ssl, (int)conn->socket); SSL_connect(conn->ssl); […] — cut here — Looking at that execution sequence the SSL_CTX_load_verify_locations() call easily takes 2 - 3 seconds here either if the ca-bundle file is quite large or if the system is busy doing other stuff. This is especially critical since there are unfortunately some mail servers on the net (so-called ‚Nemesis‘ mail server from gmx.de, web.de and 1und1.de) which have a rather short SSL negotiation timeout (8 - 10 seconds only) right from the initiating STARTTLS call until the SSL negotiation have to finished. Otherwise they simply drop the connection - which IMHO is another problem and another story not to be discussed here. So is there some possibility that I can load the ca-bundle.crt file in advance and simply supply the data to SSL_CTX instead of having to use SSL_CTX_load_verify_locations() which actually loads the ca-bundle.crt file from disk every time a new connection (and thus SSL_CTX_load_verify_locations()) is initiated? Best regards, jens -- Jens Maus, Dresden/Germany http://jens-maus.de/ (Please note a real name change effective since 5.9.2013. Former name: Jens Langner) *** Content is authentic only with digital signature ***
smime.p7s
Description: S/MIME cryptographic signature
