Changeset c6dda6d in mod_gnutls for doc


Ignore:
Timestamp:
Oct 21, 2016, 6:40:02 PM (14 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
333bbc7
Parents:
d26fa55
Message:

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rdf49a2d rc6dda6d  
    586586account for potential clock skew between server, CA, and client, as
    587587well as transmission time in corner cases.
     588
     589### GnuTLSOCSPFailureTimeout
     590
     591EXPERIMENTAL: Wait this many seconds before retrying a failed OCSP request.
     592
     593    GnuTLSOCSPFailureTimeout SECONDS
     594
     595Default: *300*\
     596Context: server config, virtual host
     597
     598Retries of failed OCSP requests must be rate limited to avoid
     599overloading both the server using mod_gnutls and the CA's OCSP
     600responder. A shorter value increases the load on both sides, a longer
     601one means that stapling will remain disabled for longer after a failed
     602request.
    588603
    589604* * * * *
Note: See TracChangeset for help on using the changeset viewer.