How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Hyer Low
I'm using *X509_load_cert_crl_file*(openssl) to load the CRL file into the
CTX and create SSL for ssl_accept handshake. For each SSL connection that
has CRL file(600KB) loaded used up 10 times memory more than SSL connection
that doesn't load CRL.

The system is having >300 ports that serving TLS for 300 different config,
where there will be 300 different CTX created where each CTX will only serve
only 1 TLS connection. That has use up most of the system memory.

If the CTX is only used during the handshake, how to force the CTX to be
cleanup, or at least cleanup the CRL/cert store in CTX, after the handshake
completed?

To optimize the server memory, can I use *SSL_CTX_set_cert_store(ssl->ctx,
X509_STORE_new())* to force all X509_store to be cleanup after handshake?
Will there be any side effect?

/*OCSP is not an option in the server/



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Matt Caswell-2


On 06/03/2020 03:13, Hyer Low wrote:

> I'm using *X509_load_cert_crl_file*(openssl) to load the CRL file into the
> CTX and create SSL for ssl_accept handshake. For each SSL connection that
> has CRL file(600KB) loaded used up 10 times memory more than SSL connection
> that doesn't load CRL.
>
> The system is having >300 ports that serving TLS for 300 different config,
> where there will be 300 different CTX created where each CTX will only serve
> only 1 TLS connection. That has use up most of the system memory.
>
> If the CTX is only used during the handshake, how to force the CTX to be
> cleanup, or at least cleanup the CRL/cert store in CTX, after the handshake
> completed?
>
> To optimize the server memory, can I use *SSL_CTX_set_cert_store(ssl->ctx,
> X509_STORE_new())* to force all X509_store to be cleanup after handshake?
> Will there be any side effect?

You can just call:

SSL_CTX_set_cert_store(ctx, NULL);

In general it is inadvisable to modify the SSL_CTX after SSL objects
have been created because it is not thread-safe to do so. However, if
the SSL_CTX and SSL are both created on the same thread and never shared
with another thread then I can't think of a reason why doing this would
be a problem.

Another thought is that X509_STORE objects are reference counted. If at
least the store is shared between all your 300 different configs then
you don't have to load it 300 times. Just load it once, and up the ref
count for each SSL_CTX that uses it (or just use
SSL_CTX_set1_cert_store() instead of SSL_CTX_set_cert_store() - and this
ups the ref count for you).


Matt

>
> /*OCSP is not an option in the server/
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>
Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Hyer Low
All configs can have different cert being setup as well, hence each CTX cert
store might also different and not to be share.

Thanks. I'll try and see any possible side effect.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Matt Caswell-2
One other thing does occur: if you allow renegotiation then you might
need access to the cert-store after the initial handshake has completed.

Matt


On 06/03/2020 10:57, Hyer Low wrote:

> All configs can have different cert being setup as well, hence each CTX cert
> store might also different and not to be share.
>
> Thanks. I'll try and see any possible side effect.
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>
Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Hyer Low
Noted. Renegotiation has been disable.

Is there anyway to clean the CTX while let SSL object itself serving the tunnel ? Or I can only depend on the CTX ref after the SSL is delete?

Regards,
Hyer Low


On Mar 6, 2020 at 7:00 PM, <[hidden email]> wrote:

One other thing does occur: if you allow renegotiation then you might
need access to the cert-store after the initial handshake has completed.

Matt


On 06/03/2020 10:57, Hyer Low wrote:
> All configs can have different cert being setup as well, hence each CTX cert
> store might also different and not to be share.
>  
> Thanks. I'll try and see any possible side effect.
>  
>  
>  
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>  

Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Matt Caswell-2
The CTX needs to be there for the whole time that the SSL is.

Matt

On 06/03/2020 11:17, Hyer Low wrote:

> Noted. Renegotiation has been disable.
>
> Is there anyway to clean the CTX while let SSL object itself serving the
> tunnel ? Or I can only depend on the CTX ref after the SSL is delete?
>
> Regards,
> Hyer Low
>
>
>> On Mar 6, 2020 at 7:00 PM, <Matt Caswell <mailto:[hidden email]>> wrote:
>>
>> One other thing does occur: if you allow renegotiation then you might
>> need access to the cert-store after the initial handshake has completed.
>>
>> Matt
>>
>>
>> On 06/03/2020 10:57, Hyer Low wrote:
>> > All configs can have different cert being setup as well, hence each CTX cert
>> > store might also different and not to be share.
>> >  
>> > Thanks. I'll try and see any possible side effect.
>> >  
>> >  
>> >  
>> > --
>> > Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>> >  
>>
Reply | Threaded
Open this post in threaded view
|

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Hyer Low
This post was updated on .
     
 

 Good to know that.
 
 
 
     
 
 
 
Regards,
 
Hyer Low
 
 
 
 
 
 
 

 
 
>  
> On Mar 6, 2020 at 7:24 PM,  <Matt Caswell (mailto:matt@openssl.org)>  wrote:
>  
>  
>  
>  The CTX needs to be there for the whole time that the SSL is. Matt On 06/03/2020 11:17, Hyer Low wrote:  >  Noted. Renegotiation has been disable.  >   >  Is there anyway to clean the CTX while let SSL object itself serving the  >  tunnel ? Or I can only depend on the CTX ref after the SSL is delete?  >   >  Regards,  >  Hyer Low  >   >   >>  On Mar 6, 2020 at 7:00 PM,  <Matt Caswell  <mailto:matt@openssl.org>>  wrote:  >>   >>  One other thing does occur: if you allow renegotiation then you might  >>  need access to the cert-store after the initial handshake has completed.  >>   >>  Matt  >>   >>   >>  On 06/03/2020 10:57, Hyer Low wrote:  >>   >  All configs can have different cert being setup as well, hence each CTX cert  >>   >  store might also different and not to be share.  >>   >   >>   >  Thanks. I'll try and see any possible side effect.  >>   >   >>   >   >>   >   >>   >  --  >>   >  Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html  >>   >   >>  
>
>