This helps reduce filesystem use. Internally, openssl caches root certs within SSL_CTX instances, exposed as SslConnector instances in Rust, and we can make use of this ability by simply reusing SslConnectors for many connections.
One concern with this approach is ending up with stale certs. Openssl's docs simply say it "loads certificates and CRLs on demand, and caches them in memory". From my experiments, and also from reading the code, it appears as though certs are cached forever. To work around this, we keep SslConnectors only for 1 minute and then recreate them in order to clear any cached certs.
This helps reduce filesystem use. Internally, openssl caches root certs within
SSL_CTXinstances, exposed asSslConnectorinstances in Rust, and we can make use of this ability by simply reusingSslConnectors for many connections.One concern with this approach is ending up with stale certs. Openssl's docs simply say it "loads certificates and CRLs on demand, and caches them in memory". From my experiments, and also from reading the code, it appears as though certs are cached forever. To work around this, we keep
SslConnectors only for 1 minute and then recreate them in order to clear any cached certs.