Changeset 333bbc7 in mod_gnutls


Ignore:
Timestamp:
Oct 27, 2016, 5:50:18 PM (14 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
0a02378
Parents:
c6dda6d
Message:

Configurable OCSP socket timeout

Stalled OCSP requests must time out after a while to prevent stalling
the server too much. However, if the timeout is too short requests may
fail with a slow OCSP responder or high latency network
connection. Using the new GnuTLSOCSPFailureTimeout parameter users can
adjust the timeout if necessary.

All macros defining default values for OCSP related times are now
collected in gnutls_ocsp.h.

Files:
6 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rc6dda6d r333bbc7  
    601601one means that stapling will remain disabled for longer after a failed
    602602request.
     603
     604### GnuTLSOCSPSocketTimeout
     605
     606EXPERIMENTAL: Timeout for TCP sockets used to send OCSP requests
     607
     608    GnuTLSOCSPFailureTimeout SECONDS
     609
     610Default: *6*\
     611Context: server config, virtual host
     612
     613Stalled OCSP requests must time out after a while to prevent stalling
     614the server too much. However, if the timeout is too short requests may
     615fail with a slow OCSP responder or high latency network
     616connection. This parameter allows you to adjust the timeout if
     617necessary.
     618
     619Note that this is not an upper limit for the completion of an OCSP
     620request but a socket timeout. The connection will time out if there is
     621no activity (successful send or receive) at all for the configured
     622time.
    603623
    604624* * * * *
  • include/mod_gnutls.h.in

    rc6dda6d r333bbc7  
    226226    /* If an OCSP request fails wait this long before trying again. */
    227227    apr_time_t ocsp_failure_timeout;
     228    /* Socket timeout for OCSP requests */
     229    apr_interval_time_t ocsp_socket_timeout;
    228230} mgs_srvconf_rec;
    229231
  • src/gnutls_config.c

    rc6dda6d r333bbc7  
    2020
    2121#include "mod_gnutls.h"
     22#include "gnutls_ocsp.h"
    2223#include "apr_lib.h"
    2324#include <gnutls/abstract.h>
    2425
    2526#define INIT_CA_SIZE 128
    26 /* Default OCSP response grace time in seconds */
    27 #define MGS_GRACE_TIME 60
    28 /* Default OCSP failure timeout in seconds */
    29 #define MGS_FAILURE_TIMEOUT 300
    3027
    3128#ifdef APLOG_USE_MODULE
     
    875872                                "GnuTLSOCSPFailureTimeout"))
    876873        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
     874    else if (!apr_strnatcasecmp(parms->directive->directive,
     875                                "GnuTLSOCSPSocketTimeout"))
     876        sc->ocsp_socket_timeout = apr_time_from_sec(argint);
    877877    else
    878878        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
     
    11281128    sc->ocsp_mutex = NULL;
    11291129    sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
    1130     sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT);
     1130    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
     1131    sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
    11311132
    11321133/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    11901191    gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
    11911192    gnutls_srvconf_merge(ocsp_failure_timeout,
    1192                          apr_time_from_sec(MGS_FAILURE_TIMEOUT));
     1193                         apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT));
     1194    gnutls_srvconf_merge(ocsp_socket_timeout,
     1195                         apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT));
    11931196
    11941197    gnutls_srvconf_assign(ca_list);
  • src/gnutls_ocsp.c

    rc6dda6d r333bbc7  
    3434#define OCSP_REQ_TYPE "application/ocsp-request"
    3535#define OCSP_RESP_TYPE "application/ocsp-response"
    36 
    37 /* Default socket timeout for OCSP responder connections, in
    38  * seconds. Note that the timeout applies to "absolutely no data sent
    39  * or received", not the whole connection. 10 seconds in mod_ssl. */
    40 #define OCSP_SOCKET_TIMEOUT 2
    4136
    4237/* Dummy data for failure cache entries (one byte). */
     
    459454     * works. */
    460455    apr_socket_t *sock;
    461     /* TODO: configurable timeout */
    462     apr_interval_time_t timeout = apr_time_from_sec(OCSP_SOCKET_TIMEOUT);
    463456    while (sa)
    464457    {
     
    467460        if (rv == APR_SUCCESS)
    468461        {
    469             apr_socket_timeout_set(sock, timeout);
     462            apr_socket_timeout_set(sock, sc->ocsp_socket_timeout);
    470463            rv = apr_socket_connect(sock, sa);
    471464            if (rv == APR_SUCCESS)
  • src/gnutls_ocsp.h

    r4d4a406 r333bbc7  
    2424
    2525#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
     26
     27/* Default OCSP response grace time in seconds */
     28#define MGS_GRACE_TIME 60
     29/* Default OCSP failure timeout in seconds */
     30#define MGS_OCSP_FAILURE_TIMEOUT 300
     31/* Default socket timeout for OCSP responder connections, in
     32 * seconds. Note that the timeout applies to "absolutely no data sent
     33 * or received", not the whole connection. 10 seconds in mod_ssl. */
     34#define MGS_OCSP_SOCKET_TIMEOUT 6
    2635
    2736/**
  • src/mod_gnutls.c

    rc6dda6d r333bbc7  
    288288                  "EXPERIMENTAL: Wait this many seconds before retrying a "
    289289                  "failed OCSP request"),
     290    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
     291                  NULL, RSRC_CONF,
     292                  "EXPERIMENTAL: Socket timeout for OCSP requests"),
    290293#ifdef __clang__
    291294    /* Workaround for this clang bug:
Note: See TracChangeset for help on using the changeset viewer.