Changeset c6dda6d in mod_gnutls for include


Ignore:
Timestamp:
Oct 21, 2016, 6:40:02 PM (14 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
333bbc7
Parents:
d26fa55
Message:

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r78b75b3 rc6dda6d  
    216216     * instead of sending a request over HTTP */
    217217    char *ocsp_response_file;
    218     /* Server specific OCSP data */
     218    /* Internal OCSP data for this server */
    219219    mgs_ocsp_data_t ocsp;
    220220    /* Mutex to prevent parallel OCSP requests */
     
    224224     * valid responses. */
    225225    apr_time_t ocsp_grace_time;
     226    /* If an OCSP request fails wait this long before trying again. */
     227    apr_time_t ocsp_failure_timeout;
    226228} mgs_srvconf_rec;
    227229
Note: See TracChangeset for help on using the changeset viewer.