Changeset 3d30543 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Apr 19, 2018, 3:23:24 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
f233a23
Parents:
61e802c
Message:

Write failure cache entries from asynchronous OCSP updates

This prevents synchronous OCSP updates during the error timeout. Note
that there might be a timing window between the good cache entry
expiring and the next asynchronous update, where a new TLS connection
might still trigger an additional update.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r61e802c r3d30543  
    940940static apr_status_t mgs_async_ocsp_update(int state,
    941941                                          void *data,
    942                                           apr_pool_t *pool __attribute__((unused)))
     942                                          apr_pool_t *pool)
    943943{
    944944    /* If the server is stopping there's no need to do an OCSP
     
    979979                 apr_time_sec(next_interval));
    980980
     981    /* Check if there's still a response in the cache. If not, add a
     982     * failure entry. If there already is a failure entry, refresh
     983     * it. The lifetime of such entries is twice the error timeout to
     984     * make sure they do not expire before the next scheduled
     985     * update. */
     986    if (rv != APR_SUCCESS)
     987    {
     988        const gnutls_datum_t ocsp_response =
     989            sc->cache->fetch(server, sc->ocsp->fingerprint, pool);
     990
     991        if (ocsp_response.size == 0 ||
     992            ((ocsp_response.size == sizeof(unsigned char)) &&
     993             (*((unsigned char *) ocsp_response.data) ==
     994              OCSP_FAILURE_CACHE_DATA)))
     995        {
     996            ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
     997                         "Caching OCSP request failure for %s:%d.",
     998                         server->server_hostname, server->addrs->host_port);
     999            mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2);
     1000        }
     1001
     1002        /* Get rid of the response, if any */
     1003        if (ocsp_response.size != 0)
     1004            gnutls_free(ocsp_response.data);
     1005    }
    9811006    apr_global_mutex_unlock(sc->ocsp_mutex);
    9821007
Note: See TracChangeset for help on using the changeset viewer.