This is a discussion on CRL Checking Uses Excessive Memory - modssl ; I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and ...
I work for the DoD. We have about a dozen CA's with their own CRL files.
Some of these are over 20M in size. When CRL checking is enabled in Apache
(for Linux or Windows), memory use is excessive and httpd processes are
killed by the OS (Linux) due to out of memory conditions and all the memory
swapping activity sends the proc utilization way up there and makes the
server unresponsive. On Windows the CPU use just pegs at 100% (I have no
idea what else is going on in there).
CRL's are downloaded every day and openssl is used to make hash'd file names
(ssl.conf is using SSLCARevocationPath). I don't currently restart apache
after retrieving the new CRL files.
The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
great, but as soon as CRLs are checked, apache starts to go south! I have a
2Gb swap partition and have added another 2Gb swap file to at least keep
things running, but it becomes so slow it might as well crash.
Each httpd process goes from using about 14Mb of memory when not CRL
checking to 250Mb when CRL checking is enabled!
BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
Any ideas on how to use large CRL's in Apache?
Do I just need more memory?
If Apache can't use many large CRL files, would an OSCP solution side-step
these problems? Any good ones out there?
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org