We have developed a patch to improve performance of SSL_load_client_CA_file.
Given a CA file containing many CA certs, it took a long time to check
duplicates because, inside SSL_load_client_CA_file, sk_X509_NAME_find
executes qsort and bsearch for every cert.
The patch introduces hash to check duplicates. This resulted in 300x
speed up in our tests using CA file containing 3742 certs. Specifically,
it took 940ms; after the patch applied, it now takes only 3.3ms.
The attached patch can apply to openssl 1.0.1i cleanly.