From: Massimiliano P. <mas...@po...> - 2005-11-02 17:54:55
|
eirc dai wrote: > I notice that OCSPD do not support linux threading ( both linux > threading lib and NPTL).so how about its performance > anotherway ,I also see below word in openssl.org about the openssl ocsp > process The problem with OCSPD and threads is that some implementations of the ENGINE interface we tested do not really support threading and have also problems with dynamic forking of process. This is why the server has the actual pre-forking structure. [...] > http://www.openssl.org/docs/apps/ocsp.html > > maybe I ask a stupid question , has OCSPD same issue as openssl OCSP > server? No... the openssl implementation is not meant to be a server, whilst our work provides a stand-alone daemon capable of processing requests quite efficiently. By using an HSM we could achieve >400 requests/second on a single processor server (this on a 5 CAs configuration with 200k entries CRLs) - qualitative measurement, though. While for software only implementation performance drops to 40/50 reqs per second (signed responses). I hope this clarifies the differences with the openssl implementation (we still, anyway, use the openssl ocsp libs for basic crypto operations). -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] mas...@po... Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------ |