Efficient CRL checking at Nginx

addis_a · December 15, 2014, 8:48pm

Hi,
I want to check the validity of a client certificate against CRL. So,
I
have defined in nginx.cong as follows

    listen       80;
    listen 443 ssl;
    server_name localhost;
   ssl_certificate serverCert.pem;
   ssl_certificate_key serverKey.key;
   ssl_client_certificate RootCA.pem;
   ssl_verify_client on;
   ssl_verify_depth 2;
   ssl_crl CrlFile.pem;

If I write my nginx.conf as follows, It works fine. My application is
expected to process a huge number of requests everyday and for each
time(request) client certificate validity is checked against CrlFile.pem
(specified at ssl_crl). 1. Does it effect servers response time because
each time it has to open and read CrlFile.pem?.
My CrlFile.pem will be updated once a day as per my requirement.
So,
2. Is there any caching mechanism performed by Nginx to cache
CrlFile.pem
because It has a new copy only once a day?.
3. Could you please help me in figuring out the best
practice for validating client certificate against CRL.

Regards,
Sandeep

Posted at Nginx Forum:

sandeepkolla99 · December 15, 2014, 9:29pm

Hello!

On Mon, Dec 15, 2014 at 02:48:03PM -0500, sandeepkolla99 wrote:

   ssl_verify_client on;
   ssl_verify_depth 2;
   ssl_crl CrlFile.pem;
If I write my nginx.conf as follows, It works fine. My application is
expected to process a huge number of requests everyday and for each
time(request) client certificate validity is checked against CrlFile.pem
(specified at ssl_crl). 1. Does it effect servers response time because
each time it has to open and read CrlFile.pem?.

No. The CRL file is loaded into memory when loading a
configuration.

    My CrlFile.pem will be updated once a day as per my requirement. So,
Is there any caching mechanism performed by Nginx to cache CrlFile.pem
because It has a new copy only once a day?.

See above. For changes to be applied, you’ll have to reload nginx
configuration.

–
Maxim D.
http://nginx.org/

sandeepkolla99 · December 16, 2014, 6:52pm

Hi Maxim,

Thanks for your help on this issue. I get new crl file everyday. Do we
need to reload the whole Nginx conf?. Is there any way to reload only
crl
file?.

Regards,
Sandeep

Posted at Nginx Forum:

sandeepkolla99 · December 17, 2014, 4:48pm

Hello!

On Tue, Dec 16, 2014 at 12:51:56PM -0500, sandeepkolla99 wrote:

Hi Maxim,

Thanks for your help on this issue. I get new crl file everyday. Do we
need to reload the whole Nginx conf?. Is there any way to reload only crl
file?.

Yes, you have to reload thw whole nginx config. There is no way
to reload only CRL file.

–
Maxim D.
http://nginx.org/

sandeepkolla99 · December 17, 2014, 5:18pm

Thank you very much for your help on this.

Posted at Nginx Forum: