Hi,
I tried to implement Estonian ID card CRL. Unfortunately I failed with nginx version 1.8.0 and 1.10.1. Is it normal that nginx hang with 100% CPU usage for ar CRL size of 50 MB? I waited 100 minutes and it still had not finished processing one request. If/when nginx will support client sertificate revocation check over OCSP or is there some problem with large CRLs?
Here is the relevant config:
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate /etc/nginx/ssl/ee/ee_all_20160927.pem;
ssl_crl /etc/nginx/ssl/ee/ee_all_20160927.crl.pem;
I converted CRLs from DER to PEM and then concatenated all 4 actual CRLs into one file. This file turned out to be around 50 MB in size.
https://sk.ee/en/repository/
https://sk.ee/en/repository/CRL/
I tried to implement Estonian ID card CRL. Unfortunately I failed with nginx version 1.8.0 and 1.10.1. Is it normal that nginx hang with 100% CPU usage for ar CRL size of 50 MB? I waited 100 minutes and it still had not finished processing one request. If/when nginx will support client sertificate revocation check over OCSP or is there some problem with large CRLs?
Here is the relevant config:
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate /etc/nginx/ssl/ee/ee_all_20160927.pem;
ssl_crl /etc/nginx/ssl/ee/ee_all_20160927.crl.pem;
I converted CRLs from DER to PEM and then concatenated all 4 actual CRLs into one file. This file turned out to be around 50 MB in size.
https://sk.ee/en/repository/
https://sk.ee/en/repository/CRL/