You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
@olifre I don't think that's really is needed. The SSL_CTX is always current when the connection is made. The CRLs only need to be current when you extract the certificate and try to authenticate it. That only happens once when you make the connection. After that, it doesn't matter if the CRLs go stale because you'll never use them (OK, you may need to when renegotiating but we don't care because the authentication has already been done). So, every connection is guaranteed to have fresh CRLs. The only downside is that you may wind up with multiple SSL_CTX objects as the CRL refresh generates a new SSL_CTX for future connections. Generally long running connections are not that long running (typically less than a day) and CRLs likely don't change often enough to warrant a very short refresh interval (I wish we could determine if CRLs actually changed but we can't). So, you just wind up sitting on some extra memory for a while. If that creates a problem we can simply add a method to the framework that notifies it that the SSL_CTX use for authentication finished. If that SSL_CTX is no longer current and we have no outstanding authentications we delete the X509_store as it's the biggest memory hog in OpenSSL. Frankly, if the system is very active there will be a high reuse of SSL_CTX objects and if the system is relatively idle it won't create a stress. Of course, somewhere in between lies the big unknown.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1