Efficient CRL checking at Nginx
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 15 20:28:52 UTC 2014
Hello!
On Mon, Dec 15, 2014 at 02:48:03PM -0500, sandeepkolla99 wrote:
> Hi,
> I want to check the validity of a client certificate against CRL. So, I
> have defined in nginx.cong as follows
>
> listen 80;
> listen 443 ssl;
> server_name localhost;
> ssl_certificate serverCert.pem;
> ssl_certificate_key serverKey.key;
> ssl_client_certificate RootCA.pem;
> ssl_verify_client on;
> ssl_verify_depth 2;
> ssl_crl CrlFile.pem;
>
> If I write my nginx.conf as follows, It works fine. My application is
> expected to process a huge number of requests everyday and for each
> time(request) client certificate validity is checked against CrlFile.pem
> (specified at ssl_crl). 1. Does it effect servers response time because
> each time it has to open and read CrlFile.pem?.
No. The CRL file is loaded into memory when loading a
configuration.
> My CrlFile.pem will be updated once a day as per my requirement. So,
> 2. Is there any caching mechanism performed by Nginx to cache CrlFile.pem
> because It has a new copy only once a day?.
See above. For changes to be applied, you'll have to reload nginx
configuration.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list