| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| CRL Checking & SSL Handshake performance concern |
« View previous topic :: View next topic » |
| Author |
Message
|
| Mehrdad |
 Posted: Thu Oct 25, 2007 11:54 am Post subject: CRL Checking & SSL Handshake performance concern |
 |
|
Master
Joined: 27 Feb 2004
Posts: 219
Location: Europe
|
I am posting this on behalf of a new member who has login problems.
--------------------------------------------------------------------------------
My project calls for the local queue manager to connect to a remote queue manager over a secure channel for message exchange. My question is related to performance on such a connection.
It is my understanding that, if enabled, CRL checking occurs with the negotiation of the SSL handshake. How frequent will the SSL handshake process take place? We have a concern that if this is something that happens a lot, CRL checking against a remote LDAP repository (our certificate is issued by a remote CA) could impose a severe performance penalty. Reading through the documentation I was not able to find references to this issue.
Thanks,
Eric |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Thu Oct 25, 2007 3:49 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| mvic |
| Posted: Thu Oct 25, 2007 4:25 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
I would normally agree completely. Unfortunately I read both those links and didn't see any reference to when CRLs are consulted as part of the whole scheme.
I searched a bit more and found slightly more at the page "Accessing CRLs and ARLs" at http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/sy12700_.htm
This suggests it is when a certificate is received that the CRL is consulted. I don't see a clear statement about CRLs being consulted, or not, at any other times in the life of an SSL MQ channel. Maybe time for a call to IBM Support, if authoritative answers can't be found elsewhere... |
|
| Back to top |
|
|
| erichknipp |
| Posted: Fri Oct 26, 2007 10:51 am Post subject: Thanks, everyone |
|
|
Newbie
Joined: 26 Oct 2007
Posts: 1
|
I still don't have a perfect answer but this goes a long way towards getting me there.
Also, many thanks to Mehrdad for helping me out when I could not login.
Eric |
|
| Back to top |
|
|
| BenjaminTallmadge |
| Posted: Thu Dec 06, 2007 2:39 pm Post subject: inactive channel means SSL renegotiation? |
|
|
Newbie
Joined: 06 Dec 2007
Posts: 1
|
| doesn't the SSL negotiation also happen when the channel goes from inactive to active? I thought the TCP connection was dropped when the channel went inactive and the session key would be discarded. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
