Changeset 333bbc7 in mod_gnutls
- Timestamp:
- Oct 27, 2016, 5:50:18 PM (4 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- 0a02378
- Parents:
- c6dda6d
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rc6dda6d r333bbc7 601 601 one means that stapling will remain disabled for longer after a failed 602 602 request. 603 604 ### GnuTLSOCSPSocketTimeout 605 606 EXPERIMENTAL: Timeout for TCP sockets used to send OCSP requests 607 608 GnuTLSOCSPFailureTimeout SECONDS 609 610 Default: *6*\ 611 Context: server config, virtual host 612 613 Stalled OCSP requests must time out after a while to prevent stalling 614 the server too much. However, if the timeout is too short requests may 615 fail with a slow OCSP responder or high latency network 616 connection. This parameter allows you to adjust the timeout if 617 necessary. 618 619 Note that this is not an upper limit for the completion of an OCSP 620 request but a socket timeout. The connection will time out if there is 621 no activity (successful send or receive) at all for the configured 622 time. 603 623 604 624 * * * * * -
include/mod_gnutls.h.in
rc6dda6d r333bbc7 226 226 /* If an OCSP request fails wait this long before trying again. */ 227 227 apr_time_t ocsp_failure_timeout; 228 /* Socket timeout for OCSP requests */ 229 apr_interval_time_t ocsp_socket_timeout; 228 230 } mgs_srvconf_rec; 229 231 -
src/gnutls_config.c
rc6dda6d r333bbc7 20 20 21 21 #include "mod_gnutls.h" 22 #include "gnutls_ocsp.h" 22 23 #include "apr_lib.h" 23 24 #include <gnutls/abstract.h> 24 25 25 26 #define INIT_CA_SIZE 128 26 /* Default OCSP response grace time in seconds */27 #define MGS_GRACE_TIME 6028 /* Default OCSP failure timeout in seconds */29 #define MGS_FAILURE_TIMEOUT 30030 27 31 28 #ifdef APLOG_USE_MODULE … … 875 872 "GnuTLSOCSPFailureTimeout")) 876 873 sc->ocsp_failure_timeout = apr_time_from_sec(argint); 874 else if (!apr_strnatcasecmp(parms->directive->directive, 875 "GnuTLSOCSPSocketTimeout")) 876 sc->ocsp_socket_timeout = apr_time_from_sec(argint); 877 877 else 878 878 /* Can't happen unless there's a serious bug in mod_gnutls or Apache */ … … 1128 1128 sc->ocsp_mutex = NULL; 1129 1129 sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME); 1130 sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT); 1130 sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT); 1131 sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT); 1131 1132 1132 1133 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ … … 1190 1191 gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME)); 1191 1192 gnutls_srvconf_merge(ocsp_failure_timeout, 1192 apr_time_from_sec(MGS_FAILURE_TIMEOUT)); 1193 apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT)); 1194 gnutls_srvconf_merge(ocsp_socket_timeout, 1195 apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT)); 1193 1196 1194 1197 gnutls_srvconf_assign(ca_list); -
src/gnutls_ocsp.c
rc6dda6d r333bbc7 34 34 #define OCSP_REQ_TYPE "application/ocsp-request" 35 35 #define OCSP_RESP_TYPE "application/ocsp-response" 36 37 /* Default socket timeout for OCSP responder connections, in38 * seconds. Note that the timeout applies to "absolutely no data sent39 * or received", not the whole connection. 10 seconds in mod_ssl. */40 #define OCSP_SOCKET_TIMEOUT 241 36 42 37 /* Dummy data for failure cache entries (one byte). */ … … 459 454 * works. */ 460 455 apr_socket_t *sock; 461 /* TODO: configurable timeout */462 apr_interval_time_t timeout = apr_time_from_sec(OCSP_SOCKET_TIMEOUT);463 456 while (sa) 464 457 { … … 467 460 if (rv == APR_SUCCESS) 468 461 { 469 apr_socket_timeout_set(sock, timeout);462 apr_socket_timeout_set(sock, sc->ocsp_socket_timeout); 470 463 rv = apr_socket_connect(sock, sa); 471 464 if (rv == APR_SUCCESS) -
src/gnutls_ocsp.h
rc6dda6d r333bbc7 24 24 25 25 #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp" 26 27 /* Default OCSP response grace time in seconds */ 28 #define MGS_GRACE_TIME 60 29 /* Default OCSP failure timeout in seconds */ 30 #define MGS_OCSP_FAILURE_TIMEOUT 300 31 /* Default socket timeout for OCSP responder connections, in 32 * seconds. Note that the timeout applies to "absolutely no data sent 33 * or received", not the whole connection. 10 seconds in mod_ssl. */ 34 #define MGS_OCSP_SOCKET_TIMEOUT 6 26 35 27 36 /** -
src/mod_gnutls.c
rc6dda6d r333bbc7 288 288 "EXPERIMENTAL: Wait this many seconds before retrying a " 289 289 "failed OCSP request"), 290 AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout, 291 NULL, RSRC_CONF, 292 "EXPERIMENTAL: Socket timeout for OCSP requests"), 290 293 #ifdef __clang__ 291 294 /* Workaround for this clang bug:
Note: See TracChangeset
for help on using the changeset viewer.