Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3971 Improve OCSP responder performance
  3. ECA-4084

Improve OCSP HSM signing thread behaviour

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.2.7
    • Fix Version/s: EJBCA 6.2.8
    • Component/s: Protocols
    • Labels:
      None
    • Issue discovered during:
      Other

      Description

      Multiple small things in HsmResponseThread:
      1. Helper CertTools.convertToX509CertificateHolder(chain) can be used to avoid code duplication.
      2. Conversion should be done in constructor to as quickly as possible return the thread to the pool.
      3. Each HsmResponseThread allocates 20480 bytes via BC's BufferingContentSigner even though a response signed with 4K RSA key and one level chain is less than 2048 bytes. Lower this to at least 4096 bytes.

      (3: In high performance environments, the full OCSP response should in general be smaller than 1492 bytes to fit in a single Ethernet frame. If the system isn't optimized for this, then hitting the buffer limit might not be so important.)

        Attachments

          Activity

            People

            Assignee:
            johan Johan Eklund
            Reporter:
            johan Johan Eklund
            Verified by:
            Mike Agrenius Kushner
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: