Changeset 333bbc7 in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Oct 27, 2016, 5:50:18 PM (6 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
0a02378
Parents:
c6dda6d
Message:

Configurable OCSP socket timeout

Stalled OCSP requests must time out after a while to prevent stalling
the server too much. However, if the timeout is too short requests may
fail with a slow OCSP responder or high latency network
connection. Using the new GnuTLSOCSPFailureTimeout parameter users can
adjust the timeout if necessary.

All macros defining default values for OCSP related times are now
collected in gnutls_ocsp.h.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_config.c

    rc6dda6d r333bbc7  
    2020
    2121#include "mod_gnutls.h"
     22#include "gnutls_ocsp.h"
    2223#include "apr_lib.h"
    2324#include <gnutls/abstract.h>
    2425
    2526#define INIT_CA_SIZE 128
    26 /* Default OCSP response grace time in seconds */
    27 #define MGS_GRACE_TIME 60
    28 /* Default OCSP failure timeout in seconds */
    29 #define MGS_FAILURE_TIMEOUT 300
    3027
    3128#ifdef APLOG_USE_MODULE
     
    875872                                "GnuTLSOCSPFailureTimeout"))
    876873        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
     874    else if (!apr_strnatcasecmp(parms->directive->directive,
     875                                "GnuTLSOCSPSocketTimeout"))
     876        sc->ocsp_socket_timeout = apr_time_from_sec(argint);
    877877    else
    878878        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
     
    11281128    sc->ocsp_mutex = NULL;
    11291129    sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
    1130     sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT);
     1130    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
     1131    sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT);
    11311132
    11321133/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    11901191    gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
    11911192    gnutls_srvconf_merge(ocsp_failure_timeout,
    1192                          apr_time_from_sec(MGS_FAILURE_TIMEOUT));
     1193                         apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT));
     1194    gnutls_srvconf_merge(ocsp_socket_timeout,
     1195                         apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT));
    11931196
    11941197    gnutls_srvconf_assign(ca_list);
Note: See TracChangeset for help on using the changeset viewer.