On 26/04/17 10:53, Yuri Voinov wrote:
Ok, but how NO_DEFAULT_CA should help with this?
It prevents OpenSSL copying that 1MB into each incoming client connections memory. The CAs are only useful there when you have some of the global CAs as root for client certificates - in which case you still only want to trust the roots you paid for service and not all of them.
Just something to try if there are huge memory issues with TLS/SSL proxying. The default behaviour is fixed for Squid-4 with the config options changes. But due to being a major surprise for anyone already relying on global roots for client certs it remains a problem in 3.5.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
