[openssl-users] openssl verify with 1B certificates

Richard Moore richmoore44 at gmail.com
Thu Mar 30 20:10:03 UTC 2017

Depends what information you need - if you just need a binary valid/not
valid then prune it first then verify. If you want a more fine grained data
set then don't. Write some code  - forking and running openssl verify each
time will be insanely slow - don't do that. I doubt you really have a
billion unique certificates - avoid testing duplicates. Also don't forget
that you really need certificate chains, so I hope you captured the
intermediate certificates too!



On 30 March 2017 at 18:44, ebe ebe <cipetpet5 at yandex.com> wrote:

> Hello,
> I am a CS graduate student and doing a measurement study regarding the SSL
> ecosystem. I have approximately 1 billion SSL certificates and I would like
> to run openssl verify on each certificate to sift out invalid certificates.
> My major concern, as you might guess, is whether doing this verification is
> feasible given the size of my dataset. An alternative idea I have is to
> replicate the verification steps of openssl. More specifically, I am
> working with a Hadoop infrastructure and I can perform some of the
> verification steps without running into scalability issues (e.g is
> certificate between notBefore-notAfter timestamps, subject key&authority
> key identifier checks). However, with this approach I feel like verifying
> the signature would be a big challenge. Any ideas on how I can tackle these
> problems?
> Regards,
> Ceyhun
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170330/e3403d88/attachment-0001.html>

More information about the openssl-users mailing list