Changeset 3656df0 in mod_gnutls for src/gnutls_ocsp.c

Timestamp:

Apr 19, 2018, 2:49:53 PM (2 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master, proxy-ticket

Children:

c34a68b

Parents:

6945efb

Message:

mgs_cache_ocsp_failure: Make expiry timeout an argument

A failure cache entry written from the asynchronous OCSP callback
should have a longer expiration time than the timeout after which the
request will be retried unconditionally.

File:

• src/gnutls_ocsp.c (modified) (3 diffs)

src/gnutls_ocsp.c

@@ -722 +722 @@
 
 
-/*
+/**
  * Retries after failed OCSP requests must be rate limited. If the
  * responder is overloaded or buggy we don't want to add too much more
  * load, and if a MITM is messing with requests a repetition loop
- * might end up being a self-inflicted denial of service.
+ * might end up being a self-inflicted denial of service. This
+ * function writes a specially formed entry to the cache to indicate a
+ * recent failure.
+ *
+ * @param s the server for which an OCSP request failed
+ * @param timeout lifetime of the cache entry
  */
-void mgs_cache_ocsp_failure(server_rec *s)
+static void mgs_cache_ocsp_failure(server_rec *s, apr_interval_time_t timeout)
 {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
@@ -738 +743 @@
         .size = sizeof(c)
     };
-    apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout;
+    apr_time_t expiry = apr_time_now() + timeout;
 
     char date_str[APR_RFC822_DATE_LEN];
@@ -824 +829 @@
                       "Caching a fresh OCSP response failed");
         /* cache failure to rate limit retries */
-        mgs_cache_ocsp_failure(ctxt->c->base_server);
+        mgs_cache_ocsp_failure(ctxt->c->base_server,
+                               ctxt->sc->ocsp_failure_timeout);
         apr_global_mutex_unlock(sc->ocsp_mutex);
         goto fail_cleanup;