Changeset c6dda6d in mod_gnutls

Timestamp:

Oct 21, 2016, 6:40:02 PM (6 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream

Children:

333bbc7

Parents:

d26fa55

Message:

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

Files:

• doc/mod_gnutls_manual.mdwn (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (2 diffs)
• src/gnutls_config.c (modified) (4 diffs)
• src/gnutls_ocsp.c (modified) (5 diffs)
• src/mod_gnutls.c (modified) (1 diff)

doc/mod_gnutls_manual.mdwn

@@ -586 +586 @@
 account for potential clock skew between server, CA, and client, as
 well as transmission time in corner cases.
+
+### GnuTLSOCSPFailureTimeout
+
+EXPERIMENTAL: Wait this many seconds before retrying a failed OCSP request.
+
+    GnuTLSOCSPFailureTimeout SECONDS
+
+Default: *300*\
+Context: server config, virtual host
+
+Retries of failed OCSP requests must be rate limited to avoid
+overloading both the server using mod_gnutls and the CA's OCSP
+responder. A shorter value increases the load on both sides, a longer
+one means that stapling will remain disabled for longer after a failed
+request.
 
 * * * * *

include/mod_gnutls.h.in

@@ -216 +216 @@
      * instead of sending a request over HTTP */
     char *ocsp_response_file;
-    /* Server specific OCSP data */
+    /* Internal OCSP data for this server */
     mgs_ocsp_data_t ocsp;
     /* Mutex to prevent parallel OCSP requests */
@@ -224 +224 @@
      * valid responses. */
     apr_time_t ocsp_grace_time;
+    /* If an OCSP request fails wait this long before trying again. */
+    apr_time_t ocsp_failure_timeout;
 } mgs_srvconf_rec;
 

src/gnutls_config.c

@@ -26 +26 @@
 /* Default OCSP response grace time in seconds */
 #define MGS_GRACE_TIME 60
+/* Default OCSP failure timeout in seconds */
+#define MGS_FAILURE_TIMEOUT 300
 
 #ifdef APLOG_USE_MODULE
@@ -870 +872 @@
                                 "GnuTLSOCSPGraceTime"))
         sc->ocsp_grace_time = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPFailureTimeout"))
+        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
     else
         /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
@@ -1123 +1128 @@
     sc->ocsp_mutex = NULL;
     sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
+    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT);
 
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
@@ -1183 +1189 @@
     gnutls_srvconf_assign(ocsp_response_file);
     gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
+    gnutls_srvconf_merge(ocsp_failure_timeout,
+                         apr_time_from_sec(MGS_FAILURE_TIMEOUT));
 
     gnutls_srvconf_assign(ca_list);

src/gnutls_ocsp.c

@@ -39 +39 @@
  * or received", not the whole connection. 10 seconds in mod_ssl. */
 #define OCSP_SOCKET_TIMEOUT 2
+
+/* Dummy data for failure cache entries (one byte). */
+#define OCSP_FAILURE_CACHE_DATA 0x0f
 
 
@@ -684 +687 @@
 
 
+/*
+ * Retries after failed OCSP requests must be rate limited. If the
+ * responder is overloaded or buggy we don't want to add too much more
+ * load, and if a MITM is messing with requests a repetition loop
+ * might end up being a self-inflicted denial of service.
+ */
+void mgs_cache_ocsp_failure(server_rec *s)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
+
+    unsigned char c = OCSP_FAILURE_CACHE_DATA;
+    gnutls_datum_t dummy = {
+        .data = &c,
+        .size = sizeof(c)
+    };
+    apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout;
+
+    char date_str[APR_RFC822_DATE_LEN];
+    apr_rfc822_date(date_str, expiry);
+    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                 "OCSP request for %s failed, next try after %s.",
+                 s->server_hostname, date_str);
+
+    int r = sc->cache->store(s, sc->ocsp->fingerprint, dummy, expiry);
+    if (r != 0)
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
+                     "Caching OCSP failure failed.");
+}
+
+
+
 int mgs_get_ocsp_response(gnutls_session_t session __attribute__((unused)),
                           void *ptr,
@@ -702 +737 @@
                       "Fetching OCSP response from cache failed.");
     }
+    else if ((ocsp_response->size == sizeof(unsigned char)) &&
+             (*((unsigned char *) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
+                      "Cached OCSP failure found for %s.",
+                      ctxt->c->base_server->server_hostname);
+        goto fail_cleanup;
+    }
     else
     {
@@ -714 +757 @@
                   "No valid OCSP response in cache, trying to update.");
 
-    /* TODO: Once sending OCSP requests is implemented we need a rate
-     * limit for retries on error. If the responder is overloaded or
-     * buggy we don't want to add too much more load, and if a MITM is
-     * messing with requests a repetition loop might end up being a
-     * self-inflicted denial of service. */
     apr_status_t rv = apr_global_mutex_trylock(ctxt->sc->ocsp_mutex);
     if (APR_STATUS_IS_EBUSY(rv))
@@ -747 +785 @@
     {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c,
-                      "Updating OCSP response cache failed");
+                      "Caching a fresh OCSP response failed");
+        /* cache failure to rate limit retries */
+        mgs_cache_ocsp_failure(ctxt->c->base_server);
         apr_global_mutex_unlock(ctxt->sc->ocsp_mutex);
         goto fail_cleanup;

src/mod_gnutls.c

@@ -284 +284 @@
                   "EXPERIMENTAL: Replace cached OCSP responses this many "
                   "seconds before they expire"),
+    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
+                  NULL, RSRC_CONF,
+                  "EXPERIMENTAL: Wait this many seconds before retrying a "
+                  "failed OCSP request"),
 #ifdef __clang__
     /* Workaround for this clang bug: