[stunnel-users] Certificate renaming
D.J. van Enckevort
david at vanenckevort.net
Mon Jul 4 10:22:53 CEST 2005
> Will c_rehash work on Windows?
I think it will work, but that it will make copies of the certificates instead
of symbolic links. However, it might as well do nothing. (Depends on how it
will handle creation of symbolic links which don't exist on Windows)
> Also, if anyone can give me a detailed explanation (or a website that
> does) of this process, and why it is necessary, I would be very greatful.
It is an optimization to find the certificate quicker. If the SSL library is
presented with a certificate it will need to find the matching file to verify
the certificate. If there is no hashing done, it will need to open every file
and read its contents until it finds the right one. If you hash the filenames
with the certificate the library can find the right file using the directory
entry and only needs to open one file. With only a couple of files, this
doesn't make much of a difference, but if you have thousands of certifcates,
it will make a huge speed difference.
There are other hashing schemes that could have been implemented and that
might be more friendly to the administrator. For example some other libraries
use the hostnames as hash values and sort in directories. My certificate for
sokrates.vanenckevort.net would then be stored under
net/vanenckevort/sokrates.pem. However the OpenSSL authors have chosen to use
a flat structure that is quicker with up to a few thousand certificates, but
it does have the disadvantage you mentioned that it is harder to maintain,
especially on systems that do not support symbolic links.
More information about the stunnel-users