On Wed, Oct 19, 2016 at 02:22:31PM +0800, Antonio Quartulli wrote: > Implement the functions needed by the crl-persist logic when openssl > is enabled. Such functions are used in the ssl_verify module. > > Note that the CRL file is stored in an adhoc data structure and no > openssl specific object is used. The data structure being used is a > sorted array or serials that can later be looked up in log(N) with > a binary search, thus guaranteeing a fast lookup operation. > > Such data structure may be changed in the future with an optimized > openssl specific object. > > Tests have been performed by using a CRL file having size 143MB. > Original delay upon client connection was around 5-8 seconds. > With this patch the delay gets close to 0. > > Signed-off-by: Antonio Quartulli <a...@unstable.cc>
As discussed on IRC, it might be better to first change the CRL handling code in the OpenSSL module to use the internal routines provided by the OpenSSL library. (apparently a patch to implement this change is in the work on somebody else's desk) At that point my patch could be changed to re-use the same code instead of implementing my own optimized logic. Note: also OpenSSL uses a sorted array + bsearch for CRL handling, therefore the performance of OpenSSL vs my approach should be similar. Does anybody else have any opinion against this? Cheers, -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
