Changeset 3656df0 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Apr 19, 2018, 2:49:53 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
c34a68b
Parents:
6945efb
Message:

mgs_cache_ocsp_failure: Make expiry timeout an argument

A failure cache entry written from the asynchronous OCSP callback
should have a longer expiration time than the timeout after which the
request will be retried unconditionally.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r6945efb r3656df0  
    722722
    723723
    724 /*
     724/**
    725725 * Retries after failed OCSP requests must be rate limited. If the
    726726 * responder is overloaded or buggy we don't want to add too much more
    727727 * load, and if a MITM is messing with requests a repetition loop
    728  * might end up being a self-inflicted denial of service.
     728 * might end up being a self-inflicted denial of service. This
     729 * function writes a specially formed entry to the cache to indicate a
     730 * recent failure.
     731 *
     732 * @param s the server for which an OCSP request failed
     733 * @param timeout lifetime of the cache entry
    729734 */
    730 void mgs_cache_ocsp_failure(server_rec *s)
     735static void mgs_cache_ocsp_failure(server_rec *s, apr_interval_time_t timeout)
    731736{
    732737    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     
    738743        .size = sizeof(c)
    739744    };
    740     apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout;
     745    apr_time_t expiry = apr_time_now() + timeout;
    741746
    742747    char date_str[APR_RFC822_DATE_LEN];
     
    824829                      "Caching a fresh OCSP response failed");
    825830        /* cache failure to rate limit retries */
    826         mgs_cache_ocsp_failure(ctxt->c->base_server);
     831        mgs_cache_ocsp_failure(ctxt->c->base_server,
     832                               ctxt->sc->ocsp_failure_timeout);
    827833        apr_global_mutex_unlock(sc->ocsp_mutex);
    828834        goto fail_cleanup;
Note: See TracChangeset for help on using the changeset viewer.