Changeset 70a1e5a in mod_gnutls


Ignore:
Timestamp:
Jun 9, 2016, 5:08:30 PM (2 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
3e22b82
Parents:
f450ac9
Message:

Introduce OCSP caching grace time

A cached OCSP response must be updated before it expires, or time skew
might cause a client to receive a response it considers expired. In
some corner cases even network transmission delay might have the same
effect. To prevent this problem let the response cache entry expire a
configurable grace time before the response does, so a fresh response
will be fetched.

Files:
4 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rf450ac9 r70a1e5a  
    217217     * certificate. */
    218218    gnutls_x509_trust_list_t *ocsp_trust;
     219    /* Cached OCSP responses expire this long before their validity
     220     * period expires. This way mod_gnutls does not staple barely
     221     * valid responses. */
     222    apr_time_t ocsp_grace_time;
    219223} mgs_srvconf_rec;
    220224
     
    380384                          const char *type, const char* arg);
    381385
    382 const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
    383                                   const char *arg);
     386const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
    384387
    385388const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
  • src/gnutls_config.c

    rf450ac9 r70a1e5a  
    2424
    2525#define INIT_CA_SIZE 128
     26/* Default OCSP response grace time in seconds */
     27#define MGS_GRACE_TIME 60
    2628
    2729#ifdef APLOG_USE_MODULE
     
    727729}
    728730
    729 const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy __attribute__((unused)),
    730         const char *arg) {
    731     int argint;
     731const char *mgs_set_timeout(cmd_parms * parms,
     732                            void *dummy __attribute__((unused)),
     733                            const char *arg)
     734{
    732735    const char *err;
    733     mgs_srvconf_rec *sc =
    734         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    735                                                  module_config,
    736                                                  &gnutls_module);
    737 
    738     if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
    739         return err;
    740     }
    741 
    742     argint = atoi(arg);
    743 
    744     if (argint < 0) {
    745         return "GnuTLSCacheTimeout: Invalid argument";
    746     } else if (argint == 0) {
    747         sc->cache_timeout = 0;
    748     } else {
    749         sc->cache_timeout = apr_time_from_sec(argint);
    750     }
     736    if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
     737        return err;
     738
     739    apr_int64_t argint = apr_atoi64(arg);
     740    if (argint < 0)
     741        return apr_psprintf(parms->pool, "%s: Invalid argument",
     742                            parms->directive->directive);
     743
     744    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     745        ap_get_module_config(parms->server->module_config, &gnutls_module);
     746
     747    if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
     748        sc->cache_timeout = apr_time_from_sec(argint);
     749    else if (!apr_strnatcasecmp(parms->directive->directive,
     750                                "GnuTLSOCSPGraceTime"))
     751        sc->ocsp_grace_time = apr_time_from_sec(argint);
     752    else
     753        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
     754        return apr_psprintf(parms->pool,
     755                            "mod_gnutls: %s called for invalid option '%s'",
     756                            __func__, parms->directive->directive);
    751757
    752758    return NULL;
     
    976982    sc->ocsp_uri = NULL;
    977983    sc->ocsp_trust = NULL;
     984    sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
    978985
    979986/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    10361043    gnutls_srvconf_assign(ocsp_uri);
    10371044    gnutls_srvconf_assign(ocsp_trust);
     1045    gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
    10381046
    10391047    /* FIXME: the following items are pre-allocated, and should be
  • src/gnutls_ocsp.c

    rf450ac9 r70a1e5a  
    396396    if (expiry == 0)
    397397        expiry = apr_time_now() + sc->cache_timeout;
    398 
    399     /* TODO: configurable refresh independent of expiration */
     398    /* Apply grace time otherwise. */
     399    else
     400        expiry -= sc->ocsp_grace_time;
     401
    400402    int r = dbm_cache_store(s, fingerprint, resp, expiry);
    401403    /* destroy pool, and original copy of the OCSP response with it */
  • src/mod_gnutls.c

    rf450ac9 r70a1e5a  
    226226    "TLS Server SRP Parameters file"),
    227227#endif
    228     AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
     228    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
    229229    NULL,
    230230    RSRC_CONF,
     
    276276    RSRC_CONF,
    277277    "EXPERIMENTAL: OCSP response for stapling (must be updated externally)"),
     278    AP_INIT_TAKE1("GnuTLSOCSPGraceTime", mgs_set_timeout,
     279    NULL,
     280    RSRC_CONF,
     281    "EXPERIMENTAL: Replace cached OCSP responses this many seconds before "
     282    "they expire"),
    278283    { NULL },
    279284};
Note: See TracChangeset for help on using the changeset viewer.