cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: FW: crl-download

From: Wytze van der Raay <wytze AT cacert.org>
To: ulrich AT cacert.org
Cc: cacert-sysadm AT lists.cacert.org
Subject: Re: FW: crl-download
Date: Wed, 10 Apr 2013 16:56:58 +0200
Organization: CAcert

Hi Ulrich,

On 10.04.2013 16:21,
ulrich AT cacert.org
wrote:
> one late issue after the server migration ?!?

No, this has nothing to do with the migration of the webdb server.
The CRL server is running on a separate server which has not changed
in the past 20 months or so.

> downloading crl error ... ?!?

These problems are basically caused by overload -- not so much of the
server itself, but rather of the firewall in front (I think). On the
CRL server itself we do not see 403 errors. What we do see though is
an *immense* amount of traffic, typically 80 to 90 Gigabytes per day.

This is partly due to the rather large size of the revocation list,
in particular the http://crl.cacert.org/revoke.crl ;(over 5 megabytes),
but more so due to the large number of unintelligent clients which
attempt to retrieve this crl way more frequently than what is sensible.
For up-to-date revocation information, OCSP is the recommended protocol.

The size of the revocation list could be cut down considerably if we
can get agreement on dropping all the old entries in there, entries
for certificates which have expired anyway. While the RFCs allow this,
there has not been consensus within CAcert on implementing this.

As for unintelligent clients: since we have no control over them,
we might decide to get rid of the firewall, and implement a filter
directly on the crl server to block clients which attempt to reload
the CRL within some (tunable) number of hours. Currently this is not
possible, since the firewall (acting as a proxy) hides the clients
for the server.

Regards,
-- wytze

> -----Original Message-----
> From: Andreas Neumann
> [mailto:andreas.neumann AT tu-ilmenau.de]
>
> Sent: Wednesday, April 10, 2013 11:43 AM
> To:
> cacert-de AT lists.cacert.org
> Subject: crl-download
>
>
> Moin,
>
> der Versuch die aktuelle CRL herunterzuladen wird mit HTTP-Code 324
> (empty response) im Browser, bzw. HTTP-Code 403 (access forbidden) im
> wget beantwortet.
>
> Es handelt sich um folgende Dateien:
> http://crl.cacert.org/class3-revoke.crl
> http://crl.cacert.org/revoke.crl
>
> Links von http://www.cacert.org/index.php?id=3
>
> Viele Grüße,
> Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

FW: crl-download, ulrich, 04/10/2013
- Re: FW: crl-download, Wytze van der Raay, 04/10/2013
  - RE: FW: crl-download, ulrich, 04/10/2013
    - Re: FW: crl-download, Wytze van der Raay, 04/11/2013
      - Re: FW: crl-download, Guillaume ROMAGNY, 04/11/2013
      - RE: FW: crl-download, ulrich, 04/11/2013
        
        *.it-sls.de testserver maintenance - scheduled 2013-04-12 starting 18:00 local time for estimated 24 hours, ulrich, 04/11/2013
        
        Re: *.it-sls.de testserver maintenance - scheduled 2013-04-12 starting 18:00 local time for estimated 24 hours, Wytze van der Raay, 04/12/2013
        
        RE: *.it-sls.de testserver maintenance - scheduled 2013-04-12 starting 18:00 local time for estimated 24 hours, ulrich, 04/12/2013
        Re: *.it-sls.de testserver maintenance - scheduled 2013-04-12 starting 18:00 local time for estimated 24 hours, Wytze van der Raay, 04/13/2013
      - Re: FW: crl-download, Michael Tänzer, 04/11/2013
    - RE: FW: crl-download, Philipp Gühring, 04/15/2013