[openssl-users] openssl verify with 1B certificates

Jakob Bohm jb-openssl at wisemo.com
Fri Mar 31 12:41:09 UTC 2017 

Also consider using the functions that the "openssl verify"
command uses (source file: apps/verify.c), perhaps from a
bulk process that can be run on each CPU node on your
compute cluster.  With a little thought, these can be done
efficiently, with lots of reused (i.e. not repeated) actions,
such as setting up parameters, loading known CA and intermediary
certs, opening files that contain multiple certs, etc.

On 30/03/2017 22:10, Richard Moore wrote:
> Depends what information you need - if you just need a binary
> valid/not valid then prune it first then verify. If you want a more
> fine grained data set then don't. Write some code  - forking and
> running openssl verify each time will be insanely slow - don't do
> that. I doubt you really have a billion unique certificates - avoid
> testing duplicates. Also don't forget that you really need certificate
> chains, so I hope you captured the intermediate certificates too!
>
> Cheers
>
> Rich.
>
> On 30 March 2017 at 18:44, ebe ebe <cipetpet5 at yandex.com
> <mailto:cipetpet5 at yandex.com>>wrote:
>
>     Hello,
>
>     I am a CS graduate student and doing a measurement study regarding
>     the SSL ecosystem. I have approximately 1 billion SSL certificates
>     and I would like to run openssl verify on each certificate to sift
>     out invalid certificates. My major concern, as you might guess, is
>     whether doing this verification is feasible given the size of my
>     dataset. An alternative idea I have is to replicate the
>     verification steps of openssl. More specifically, I am working
>     with a Hadoop infrastructure and I can perform some of the
>     verification steps without running into scalability issues (e.g is
>     certificate between notBefore-notAfter timestamps, subject
>     key&authority key identifier checks). However, with this approach
>     I feel like verifying the signature would be a big challenge. Any
>     ideas on how I can tackle these problems?
>
>


-- 
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list