I am working on a DoD project, and we are experiencing high CPU load on HP-UX
servers with multiple CPUs in this scenario. We are thinking it is because
the CRL size for some CAs is huge - ad-hoc tests done with certs associated
with small CRLs do not produce CPU spikes, but large CRLs do. We are running
an older version of Apache and the mod_ssl package without OCSP support, but
have just installed an updated Apache with mod_ssl and OCSP support. Anyone
using this, and if so, have any luck with it? Thanks in advance!

Paul


Victor, Dwight P CTR DISA PAC wrote:
>
> Hi Rob,
>
> I also work for the DoD and am using the same CRLs as you (downloaded and
> converted on a daily basis). We're running a Linux webserver with a
> single
> 1.8Ghz Celeron, 512MB of RAM, and 1GB of swap.
>
> I haven't noticed any memory issues when checking CRLs.
>
> My Apache server starts multiple child servers. It looks like the child
> servers hit around 60MB of memory usage (max) when processing CRL checks;
> 500KB to 1MB seems to be the average child server's memory usage when
> idle.
>
> top says my current load average is about 0.03, 0.01, 0.00. When checking
> CRLs, top says my load average zooms up to around 0.20, 0.05, 0.01.
>
> Of course, my userbase is very small and we aren't doing a ton of CRL
> checks.
>
> OCSP should resolve your issue with plowing through the CRLs, however, I
> have yet to find a viable OCSP solution. There was a patch for mod_ssl,
> but
> I haven't heard anything about it since it was last released in 2004.
> Maybe
> someone else on this list knows?
>
> Rob, why don't you email me offline. I'm in the DISA GAL, if you can get
> to
> that.
>
> Dwight...
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailtowner-modssl-users@modssl.org]On Behalf Of Walls Rob W Contr 75
> CS/SCBS
> Sent: Friday, April 21, 2006 10:47 AM
> To: 'modssl-users@modssl.org'
> Subject: CRL Checking Uses Excessive Memory
>
>
> I work for the DoD. We have about a dozen CA's with their own CRL files.
> Some of these are over 20M in size. When CRL checking is enabled in Apache
> (for Linux or Windows), memory use is excessive and httpd processes are
> killed by the OS (Linux) due to out of memory conditions and all the
> memory
> swapping activity sends the proc utilization way up there and makes the
> server unresponsive. On Windows the CPU use just pegs at 100% (I have no
> idea what else is going on in there).
> CRL's are downloaded every day and openssl is used to make hash'd file
> names
> (ssl.conf is using SSLCARevocationPath). I don't currently restart apache
> after retrieving the new CRL files.
> The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works
> great, but as soon as CRLs are checked, apache starts to go south! I have
> a
> 2Gb swap partition and have added another 2Gb swap file to at least keep
> things running, but it becomes so slow it might as well crash.
> Each httpd process goes from using about 14Mb of memory when not CRL
> checking to 250Mb when CRL checking is enabled!
> BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that
> machine.
>
> Any ideas on how to use large CRL's in Apache?
>
> Do I just need more memory?
>
> If Apache can't use many large CRL files, would an OSCP solution side-step
> these problems? Any good ones out there?
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


--
View this message in context: http://www.nabble.com/CRL-Checking-U....html#a6764331
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org