From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 19 Sep 2022 12:55:30 +0000 (+0200)
Subject: TODO: Reduce CA certificate bundle reparsing
X-Git-Tag: curl-7_86_0~201
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e9a85c46233029617d2de4e1e78f3b18f5ae3829;p=thirdparty%2Fcurl.git

TODO: Reduce CA certificate bundle reparsing

By adding some sort of cache.

Reported-by: Michael Drake
Closes #9379
Closes #9538
---

diff --git a/docs/TODO b/docs/TODO
index 97afcec3ac..3cbd1d3788 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -120,6 +120,7 @@
  13.9 TLS record padding
  13.10 Support Authority Information Access certificate extension (AIA)
  13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
+ 13.12 Reduce CA certificate bundle reparsing
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
 
@@ -844,6 +845,15 @@
  Adding this feature would make curls pinning 100% compatible to HPKP and
  allow more flexible pinning.
 
+13.12 Reduce CA certificate bundle reparsing
+
+ When using the OpenSSL backend, curl will load and reparse the CA bundle at
+ the creation of the "SSL context" when it sets up a connection to do a TLS
+ handshake. A more effective way would be to somehow cache the CA bundle to
+ avoid it having to be repeatedly reloaded and reparsed.
+
+ See https://github.com/curl/curl/issues/9379
+
 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
 
  RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3