mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
4c2549ba5d
When --crl-verify is enabled, specified CRL file gets reloaded on every client connection. With huge CRL files it may take a significant amount of time - seconds and tens of seconds, during which OpenVPN is blocked and can't serve existing and/or incoming connections due its singlethread nature. In alternative mode --crl-verify option takes directory containing files named as decimal serial numbers of the revoked certificates and 'dir' flag, revoked certificate check is being done by checking the presence of client's certificate number in that directory. This script allow to perform incremental extraction of revoked serial numbers from CRL by adding absent ones and removing excess ones. Usage example: extractcrl.py -f pem /path/to/crl.pem /path/to/outdir extractcrl.py -f der /path/to/crl.crl /path/to/outdir cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir Output example: Loaded: 309797 revoked certs in 4.136s Scanned: 312006 files in 0.61s Created: 475 files in 0.05s Removed: 2684 files in 0.116s Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20201002215146.31324-1-themiron@yandex-team.ru> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21154.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
---|---|---|
.. | ||
extractcrl.py |