[stunnel-users] Certificate renaming

D.J. van Enckevort david at vanenckevort.net
Mon Jul 4 10:22:53 CEST 2005


Hi,
> Will c_rehash work on Windows?

I think it will work, but that it will make copies of the certificates instead 
of symbolic links. However, it might as well do nothing. (Depends on how it 
will handle creation of symbolic links which don't exist on Windows)

> Also, if anyone can give me a detailed explanation (or a website that 
> does) of this process, and why it is necessary, I would be very greatful.

It is an optimization to find the certificate quicker. If the SSL library is 
presented with a certificate it will need to find the matching file to verify 
the certificate. If there is no hashing done, it will need to open every file 
and read its contents until it finds the right one. If you hash the filenames 
with the certificate the library can find the right file using the directory 
entry and only needs to open one file. With only a couple of files, this 
doesn't make much of a difference, but if you have thousands of certifcates, 
it will make a huge speed difference.
There are other hashing schemes that could have been implemented and that 
might be more friendly to the administrator. For example some other libraries 
use the hostnames as hash values and sort in directories. My certificate for 
sokrates.vanenckevort.net would then be stored under 
net/vanenckevort/sokrates.pem. However the OpenSSL authors have chosen to use 
a flat structure that is quicker with up to a few thousand certificates, but 
it does have the disadvantage you mentioned that it is harder to maintain, 
especially on systems that do not support symbolic links.

Ciao,
   David



More information about the stunnel-users mailing list