Changeset a467635 in mod_gnutls


Ignore:
Timestamp:
Apr 19, 2018, 2:44:26 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
0cdfb19
Parents:
506e64a
Message:

Enable asynchronous OCSP updates

Asynchronous updates are always enabled if mod_watchdog is
available. For now, the OCSP cache lifetime is used as the callback
interval.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r506e64a ra467635  
    2020#include "gnutls_config.h"
    2121#include "gnutls_util.h"
     22#include "gnutls_watchdog.h"
    2223
    2324#include <apr_escape.h>
     
    2526#include <apr_time.h>
    2627#include <gnutls/ocsp.h>
     28#include <mod_watchdog.h>
    2729#include <time.h>
    2830
     
    923925
    924926
     927/**
     928 * Perform an asynchronous OCSP cache update. This is a callback for
     929 * mod_watchdog, so the API is fixed.
     930 *
     931 * @param state watchdog state (starting/running/stopping)
     932 * @param data callback data, contains the server_rec
     933 * @param pool temporary callback pool destroyed after the call
     934 * @return always `APR_SUCCESS` as required by the mod_watchdog API to
     935 * indicate that the callback should be called again
     936 */
     937static apr_status_t mgs_async_ocsp_update(int state,
     938                                          void *data,
     939                                          apr_pool_t *pool __attribute__((unused)))
     940{
     941    /* If the server is stopping there's no need to do an OCSP
     942     * update. */
     943    if (state == AP_WATCHDOG_STATE_STOPPING)
     944        return APR_SUCCESS;
     945
     946    server_rec *s = (server_rec *) data;
     947    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     948        ap_get_module_config(s->module_config, &gnutls_module);
     949    apr_time_t expiry = 0;
     950
     951    /* Callbacks registered to one watchdog instance are run
     952     * sequentially. Child watchdog threads are created in a
     953     * child_init hook, but it doesn't guarantee when callbacks will
     954     * be called for the first time.
     955     *
     956     * Using the mutex should help avoiding duplicate OCSP requests
     957     * (async and during request handling) if requests arrive before
     958     * the startup run completes. However, an early request might
     959     * still get in between initial OCSP caching calls. */
     960    if (state == AP_WATCHDOG_STATE_STARTING)
     961        apr_global_mutex_lock(sc->ocsp_mutex);
     962    apr_status_t rv = mgs_cache_ocsp_response(s, &expiry);
     963    if (state == AP_WATCHDOG_STATE_STARTING)
     964        apr_global_mutex_unlock(sc->ocsp_mutex);
     965
     966    /* TODO: error handling, fuzzy interval */
     967
     968    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s,
     969                 "Async OCSP update done for %s:%d.",
     970                 s->server_hostname, s->addrs->host_port);
     971
     972    return APR_SUCCESS;
     973}
     974
     975
     976
    925977/*
    926978 * Like in the general post_config hook the HTTP status codes for
     
    9981050                                                        sc);
    9991051
     1052    /* The watchdog structure may be NULL if mod_watchdog is
     1053     * unavailable. */
     1054    if (sc->singleton_wd != NULL)
     1055    {
     1056        apr_status_t rv =
     1057            sc->singleton_wd->register_callback(sc->singleton_wd->wd,
     1058                                                sc->ocsp_cache_time,
     1059                                                server, mgs_async_ocsp_update);
     1060        if (rv == APR_SUCCESS)
     1061            ap_log_error(APLOG_MARK, APLOG_INFO, rv, server,
     1062                         "Enabled async OCSP update via watchdog "
     1063                         "for %s:%d",
     1064                         server->server_hostname, server->addrs->host_port);
     1065        else
     1066            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server,
     1067                         "Enabling async OCSP update via watchdog "
     1068                         "for %s:%d failed!",
     1069                         server->server_hostname, server->addrs->host_port);
     1070    }
     1071
    10001072    return OK;
    10011073}
Note: See TracChangeset for help on using the changeset viewer.