How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Matt Caswell matt at
Fri Mar 6 10:40:55 UTC 2020

On 06/03/2020 03:13, Hyer Low wrote:
> I'm using *X509_load_cert_crl_file*(openssl) to load the CRL file into the
> CTX and create SSL for ssl_accept handshake. For each SSL connection that
> has CRL file(600KB) loaded used up 10 times memory more than SSL connection
> that doesn't load CRL.
> The system is having >300 ports that serving TLS for 300 different config,
> where there will be 300 different CTX created where each CTX will only serve
> only 1 TLS connection. That has use up most of the system memory.
> If the CTX is only used during the handshake, how to force the CTX to be
> cleanup, or at least cleanup the CRL/cert store in CTX, after the handshake
> completed?
> To optimize the server memory, can I use *SSL_CTX_set_cert_store(ssl->ctx,
> X509_STORE_new())* to force all X509_store to be cleanup after handshake?
> Will there be any side effect?

You can just call:

SSL_CTX_set_cert_store(ctx, NULL);

In general it is inadvisable to modify the SSL_CTX after SSL objects
have been created because it is not thread-safe to do so. However, if
the SSL_CTX and SSL are both created on the same thread and never shared
with another thread then I can't think of a reason why doing this would
be a problem.

Another thought is that X509_STORE objects are reference counted. If at
least the store is shared between all your 300 different configs then
you don't have to load it 300 times. Just load it once, and up the ref
count for each SSL_CTX that uses it (or just use
SSL_CTX_set1_cert_store() instead of SSL_CTX_set_cert_store() - and this
ups the ref count for you).


> /*OCSP is not an option in the server/
> --
> Sent from:

More information about the openssl-users mailing list