CRL Race condition few more doubts

2004-12-10 Thread prakash babu
Hello Steve,  Thanks for your reply but a few doubts still exist, >    1. Suppose we request for the revocation status of many certificates in a > single request > >   eg (openssl verify -crl_check -CAfile demoCA/crl/chain  cert1 cert2

Re: CRL Race condition

2004-12-09 Thread Thorsten Müller
Dr. Stephen Henson wrote: You need to mark the stored encoding as invalid if you want to do that. You can do that with: crl->crl->enc.modified = 1; As long as you do that before signing the CRL it should then work. This works fine. Thanks for your help, Thorsten

Re: CRL Race condition clarification

2004-12-09 Thread Dr. Stephen Henson
On Thu, Dec 09, 2004, prakash babu wrote: > Hello Steve, > > Thanks for your explanation. It was very informative, > > In OpenSSL 0.9.7e while doing the CRL checking, the following steps are > performed > > a. Caching the original CRL list into cache > b. Sorting the CRL list.

Re: CRL Race condition

2004-12-09 Thread Dr. Stephen Henson
On Thu, Dec 09, 2004, Thorsten Müller wrote: > Dr. Stephen Henson wrote: > > > > >The second option, which I implemented, is to cache the original encoding > >and > >use the cached form to verify signatures. This makes signature verification > >much quicker since no reordering is necessary. >

CRL Race condition clarification

2004-12-09 Thread prakash babu
Hello Steve,    Thanks for your explanation. It was very informative,     In OpenSSL 0.9.7e while doing the CRL checking, the following steps are performed  a. Caching the original CRL list into cache b. Sorting the CRL list. c. Searching the given certificate in the sorted CRL

Re: CRL Race condition

2004-12-09 Thread Thorsten Müller
Dr. Stephen Henson wrote: The second option, which I implemented, is to cache the original encoding and use the cached form to verify signatures. This makes signature verification much quicker since no reordering is necessary. This still requires lock when the revoked entries are sorted but they

Re: CRL Race condition

2004-12-08 Thread Dr. Stephen Henson
On Wed, Dec 08, 2004, prakash babu wrote: > Hello all, > >There has been a tremendous performance during CRL check between > 0.9.7d and 0.9.7e > > I measured the time for checking the crl with 1,00,000 entries > using the following command > >

CRL Race condition

2004-12-08 Thread prakash babu
Hello all,      There has been a tremendous performance during CRL check between 0.9.7d and 0.9.7e     I measured the time for checking the crl with 1,00,000 entries using the following command    time openssl verify -crl_check -CAfile $ssl_crl_dir/