Changeset 70a1e5a in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 9, 2016, 5:08:30 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
3e22b82
Parents:
f450ac9
Message:

Introduce OCSP caching grace time

A cached OCSP response must be updated before it expires, or time skew
might cause a client to receive a response it considers expired. In
some corner cases even network transmission delay might have the same
effect. To prevent this problem let the response cache entry expire a
configurable grace time before the response does, so a fresh response
will be fetched.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rf450ac9 r70a1e5a  
    396396    if (expiry == 0)
    397397        expiry = apr_time_now() + sc->cache_timeout;
    398 
    399     /* TODO: configurable refresh independent of expiration */
     398    /* Apply grace time otherwise. */
     399    else
     400        expiry -= sc->ocsp_grace_time;
     401
    400402    int r = dbm_cache_store(s, fingerprint, resp, expiry);
    401403    /* destroy pool, and original copy of the OCSP response with it */
Note: See TracChangeset for help on using the changeset viewer.