Changeset 333bbc7 in mod_gnutls

Timestamp:

Oct 27, 2016, 5:50:18 PM (2 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

0a02378

Parents:

c6dda6d

Message:

Configurable OCSP socket timeout

Stalled OCSP requests must time out after a while to prevent stalling
the server too much. However, if the timeout is too short requests may
fail with a slow OCSP responder or high latency network
connection. Using the new GnuTLSOCSPFailureTimeout parameter users can
adjust the timeout if necessary.

All macros defining default values for OCSP related times are now
collected in gnutls_ocsp.h.

Files:

• doc/mod_gnutls_manual.mdwn (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_config.c (modified) (4 diffs)
• src/gnutls_ocsp.c (modified) (3 diffs)
• src/gnutls_ocsp.h (modified) (1 diff)
• src/mod_gnutls.c (modified) (1 diff)

doc/mod_gnutls_manual.mdwn

@@ -601 +601 @@
 one means that stapling will remain disabled for longer after a failed
 request.
+
+### GnuTLSOCSPSocketTimeout
+
+EXPERIMENTAL: Timeout for TCP sockets used to send OCSP requests
+
+    GnuTLSOCSPFailureTimeout SECONDS
+
+Default: *6*\
+Context: server config, virtual host
+
+Stalled OCSP requests must time out after a while to prevent stalling
+the server too much. However, if the timeout is too short requests may
+fail with a slow OCSP responder or high latency network
+connection. This parameter allows you to adjust the timeout if
+necessary.
+
+Note that this is not an upper limit for the completion of an OCSP
+request but a socket timeout. The connection will time out if there is
+no activity (successful send or receive) at all for the configured
+time.
 
 * * * * *

include/mod_gnutls.h.in

@@ -226 +226 @@
     /* If an OCSP request fails wait this long before trying again. */
     apr_time_t ocsp_failure_timeout;
+    /* Socket timeout for OCSP requests */
+    apr_interval_time_t ocsp_socket_timeout;
 } mgs_srvconf_rec;
 

src/gnutls_config.c

@@ -20 +20 @@
 
 #include "mod_gnutls.h"
+#include "gnutls_ocsp.h"
 #include "apr_lib.h"
 #include <gnutls/abstract.h>
 
 #define INIT_CA_SIZE 128
-/* Default OCSP response grace time in seconds */
-#define MGS_GRACE_TIME 60
-/* Default OCSP failure timeout in seconds */
-#define MGS_FAILURE_TIMEOUT 300
 
 #ifdef APLOG_USE_MODULE
@@ -875 +872 @@
                                 "GnuTLSOCSPFailureTimeout"))
         sc->ocsp_failure_timeout = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPSocketTimeout"))
+        sc->ocsp_socket_timeout = apr_time_from_sec(argint);
     else
         /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
@@ -1128 +1128 @@
     sc->ocsp_mutex = NULL;
     sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
-    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT);
+    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
+    sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
 
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
@@ -1190 +1191 @@
     gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
     gnutls_srvconf_merge(ocsp_failure_timeout,
-                         apr_time_from_sec(MGS_FAILURE_TIMEOUT));
+                         apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT));
+    gnutls_srvconf_merge(ocsp_socket_timeout,
+                         apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT));
 
     gnutls_srvconf_assign(ca_list);

src/gnutls_ocsp.c

@@ -34 +34 @@
 #define OCSP_REQ_TYPE "application/ocsp-request"
 #define OCSP_RESP_TYPE "application/ocsp-response"
-
-/* Default socket timeout for OCSP responder connections, in
- * seconds. Note that the timeout applies to "absolutely no data sent
- * or received", not the whole connection. 10 seconds in mod_ssl. */
-#define OCSP_SOCKET_TIMEOUT 2
 
 /* Dummy data for failure cache entries (one byte). */
@@ -459 +454 @@
      * works. */
     apr_socket_t *sock;
-    /* TODO: configurable timeout */
-    apr_interval_time_t timeout = apr_time_from_sec(OCSP_SOCKET_TIMEOUT);
     while (sa)
     {
@@ -467 +460 @@
         if (rv == APR_SUCCESS)
         {
-            apr_socket_timeout_set(sock, timeout);
+            apr_socket_timeout_set(sock, sc->ocsp_socket_timeout);
             rv = apr_socket_connect(sock, sa);
             if (rv == APR_SUCCESS)

src/gnutls_ocsp.h

@@ -24 +24 @@
 
 #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
+
+/* Default OCSP response grace time in seconds */
+#define MGS_GRACE_TIME 60
+/* Default OCSP failure timeout in seconds */
+#define MGS_OCSP_FAILURE_TIMEOUT 300
+/* Default socket timeout for OCSP responder connections, in
+ * seconds. Note that the timeout applies to "absolutely no data sent
+ * or received", not the whole connection. 10 seconds in mod_ssl. */
+#define MGS_OCSP_SOCKET_TIMEOUT 6
 
 /**

src/mod_gnutls.c

@@ -288 +288 @@
                   "EXPERIMENTAL: Wait this many seconds before retrying a "
                   "failed OCSP request"),
+    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "EXPERIMENTAL: Socket timeout for OCSP requests"),
 #ifdef __clang__
     /* Workaround for this clang bug: