Changeset 2246a84 in mod_gnutls

Timestamp:

Apr 21, 2018, 3:51:51 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master, proxy-ticket

Children:

7921dc7

Parents:

fa6d0bb

Message:

Make automatic OCSP cache updates and fuzz time configurable

Files:

• doc/mod_gnutls_manual.mdwn (modified) (3 diffs)
• include/mod_gnutls.h.in (modified) (2 diffs)
• src/gnutls_config.c (modified) (5 diffs)
• src/gnutls_ocsp.c (modified) (7 diffs)
• src/gnutls_ocsp.h (modified) (2 diffs)
• src/mod_gnutls.c (modified) (2 diffs)

doc/mod_gnutls_manual.mdwn

@@ -4 +4 @@
 
 `mod_gnutls` is a module for the Apache web server that provides HTTPS
-(HTTP over Transport Layer Security (TLS) or the older Secure Sockets
-Layer (SSL)) using the GnuTLS library.  More information about the
-module can be found at [the project's website](https://mod.gnutls.org/).
+(HTTP over Transport Layer Security (TLS)) using the GnuTLS library.
+More information about the module can be found at
+[the project's website](https://mod.gnutls.org/).
 
 * * * * *
@@ -568 +568 @@
 OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
 
+### GnuTLSOCSPAutoRefresh
+
+Regularly refresh cached OCSP response independent of TLS handshakes?
+
+    GnuTLSOCSPAutoRefresh [On|Off]
+
+Default: *on*\
+Context: server config, virtual host
+
+By default `mod_gnutls` will regularly refresh the cached OCSP
+response for hosts that have OCSP stapling enabled, regardless of
+whether it is used. This has advantages over updating the OCSP
+response only if a TLS handshake needs it:
+
+* Updating the cached response before it expires can hide short
+  unavailability of the OCSP responder, if a repeated request is
+  successful before the cache expires (see below).
+
+* Handshakes are not slowed down by fetching responses.
+
+The interval to the next request is determined as follows: After a
+successful OCSP request the next one is scheduled for a random period
+between `GnuTLSOCSPFuzzTime` and half of it before
+`GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is
+3600 seconds and the fuzz time 600 seconds, the next request will be
+sent after 3000 to 3300 seconds. If the validity period of the
+response expires before then, the selected interval is halved until it
+is smaller than the time until expiry. If an OCSP request fails, it is
+retried after `GnuTLSOCSPFailureTimeout`.
+
+Regularly updating the OCSP cache requires `mod_watchdog`,
+`mod_gnutls` will fall back to updating the OCSP cache during
+handshakes if `mod_watchdog` is not available or this option is set to
+`Off`.
+
 ### GnuTLSOCSPCheckNonce
 
@@ -640 +675 @@
 one means that stapling will remain disabled for longer after a failed
 request.
+
+### GnuTLSOCSPFuzzTime
+
+Update the cached OCSP response up to this time before the cache expires
+
+    GnuTLSOCSPFuzzTime SECONDS
+
+Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\
+Context: server config, virtual host
+
+Refreshing the cached response before it expires hides short OCSP
+responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this
+value is used, using at least twice `GnuTLSOCSPFailureTimeout` is
+recommended.
 
 ### GnuTLSOCSPSocketTimeout

include/mod_gnutls.h.in

@@ -214 +214 @@
     /* Enable OCSP stapling */
     unsigned char ocsp_staple;
+    /* Automatically refresh cached OCSP response? */
+    unsigned char ocsp_auto_refresh;
     /* Check nonce in OCSP responses? */
     unsigned char ocsp_check_nonce;
@@ -228 +230 @@
     /* If an OCSP request fails wait this long before trying again. */
     apr_interval_time_t ocsp_failure_timeout;
+    /** How long before a cached OCSP response expires should it be
+     * updated? During configuration parsing this is set to the
+     * maximum, during post configuration the value will be set to
+     * half that. After each update the interval to for the next one
+     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
+     * RANDOM` with `0 <= RANDOM <= 1`. */
+    apr_interval_time_t ocsp_fuzz_time;
     /* Socket timeout for OCSP requests */
     apr_interval_time_t ocsp_socket_timeout;

src/gnutls_config.c

@@ -3 +3 @@
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2016 Fiona Klute
+ *  Copyright 2015-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -851 +851 @@
                                 "GnuTLSOCSPFailureTimeout"))
         sc->ocsp_failure_timeout = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPFuzzTime"))
+        sc->ocsp_fuzz_time = apr_time_from_sec(argint);
     else if (!apr_strnatcasecmp(parms->directive->directive,
                                 "GnuTLSOCSPSocketTimeout"))
@@ -1105 +1108 @@
 
     sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
+    sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET;
     sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
     sc->ocsp_response_file = NULL;
@@ -1110 +1114 @@
     sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
     sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
+    sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET;
     sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
 
@@ -1171 +1176 @@
 
     gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_assign(ocsp_response_file);
     gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
 

src/gnutls_ocsp.c

@@ -86 +86 @@
     else
         sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
+
+    return NULL;
+}
+
+
+
+const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
+                                      void *dummy __attribute__((unused)),
+                                      const int arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    if (arg)
+        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
+    else
+        sc->ocsp_auto_refresh = GNUTLS_ENABLED_FALSE;
 
     return NULL;
@@ -929 +946 @@
 
 
-/** The maximum random fuzz interval that will not overflow. The
- * permitted values are limited to whatever will not make an
- * `apr_interval_time_t` variable overflow when multiplied with
- * `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit signed
- * integer the maximum fuzz interval is about 4.5 years, which should
- * be more than plenty. */
-#define MAX_FUZZ_TIME (APR_INT64_MAX / APR_UINT16_MAX)
+/** The maximum random fuzz base (half the maximum fuzz) that will not
+ * overflow. The permitted values are limited to whatever will not
+ * make an `apr_interval_time_t` variable overflow when multiplied
+ * with `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit
+ * signed integer the maximum fuzz interval is about 4.5 years, which
+ * should be more than plenty. */
+#define MAX_FUZZ_BASE (APR_INT64_MAX / APR_UINT16_MAX)
 
 /**
@@ -972 +989 @@
     apr_status_t rv = mgs_cache_ocsp_response(server, &expiry);
 
-    /* TODO: Make maximum fuzz time configurable and compare to
-     * allowed maximum during config */
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
-                 "%s: Maximum fuzz time without overflow: %" APR_INT64_T_FMT
-                 " seconds",
-                 __func__, apr_time_sec(MAX_FUZZ_TIME));
-
     apr_interval_time_t next_interval;
     if (rv != APR_SUCCESS)
@@ -998 +1008 @@
         }
 
-        /* Base fuzz is half the maximum (sc->ocsp_cache_time / 8 at
-         * the moment). The actual fuzz is between the maximum and
-         * half that. */
-        apr_interval_time_t base_fuzz = sc->ocsp_cache_time / 16;
-        apr_interval_time_t fuzz =
-            base_fuzz + base_fuzz * random_bytes / APR_UINT16_MAX;
+        /* Choose the fuzz interval for the next update between
+         * `sc->ocsp_fuzz_time` and twice that. */
+        apr_interval_time_t fuzz = sc->ocsp_fuzz_time
+            + (sc->ocsp_fuzz_time * random_bytes / APR_UINT16_MAX);
 
         /* With an extremly short timeout or weird nextUpdate value
@@ -1096 +1104 @@
 
     /* set default values for unset parameters */
+    if (sc->ocsp_auto_refresh == GNUTLS_ENABLED_UNSET)
+        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
     if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
         sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
@@ -1104 +1114 @@
     if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET)
         sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
+    /* Base fuzz is half the configured maximum, the actual fuzz is
+     * between the maximum and half that. The default maximum is
+     * sc->ocsp_cache_time / 8, or twice the failure timeout,
+     * whichever is larger (so the default guarantees at least one
+     * retry before the cache entry expires).*/
+    if (sc->ocsp_fuzz_time == MGS_TIMEOUT_UNSET)
+    {
+        sc->ocsp_fuzz_time = sc->ocsp_cache_time / 16;
+        if (sc->ocsp_fuzz_time < sc->ocsp_failure_timeout)
+            sc->ocsp_fuzz_time = sc->ocsp_failure_timeout;
+    }
+    else
+        sc->ocsp_fuzz_time = sc->ocsp_fuzz_time / 2;
+
+    /* This really shouldn't happen considering MAX_FUZZ_BASE is about
+     * 4.5 years, but better safe than sorry. */
+    if (sc->ocsp_fuzz_time > MAX_FUZZ_BASE)
+    {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
+                     "%s: Maximum fuzz time is too large, maximum "
+                     "supported value is %" APR_INT64_T_FMT " seconds",
+                     __func__, apr_time_sec(MAX_FUZZ_BASE) * 2);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
@@ -1150 +1184 @@
     /* The watchdog structure may be NULL if mod_watchdog is
      * unavailable. */
-    if (sc->singleton_wd != NULL)
+    if (sc->singleton_wd != NULL
+        && sc->ocsp_auto_refresh == GNUTLS_ENABLED_TRUE)
     {
         apr_status_t rv =

src/gnutls_ocsp.h

@@ -1 +1 @@
 /*
- *  Copyright 2016 Fiona Klute
+ *  Copyright 2016-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -54 +54 @@
                                      const int arg);
 
+const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
+                                      void *dummy __attribute__((unused)),
+                                      const int arg);
+
 const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
                                      void *dummy __attribute__((unused)),

src/mod_gnutls.c

@@ -370 +370 @@
                  NULL, RSRC_CONF,
                  "Enable OCSP stapling"),
+    AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
+                 NULL, RSRC_CONF,
+                 "Regularly refresh cached OCSP response independent "
+                 "of TLS handshakes?"),
     AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
                  NULL, RSRC_CONF,
@@ -385 +389 @@
                   "Wait this many seconds before retrying a failed OCSP "
                   "request"),
+    AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "Update cached OCSP response up to this many seconds "
+                  "before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
     AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
                   NULL, RSRC_CONF,