Changeset c6dda6d in mod_gnutls for src/gnutls_config.c

Timestamp:

Oct 21, 2016, 6:40:02 PM (3 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

333bbc7

Parents:

d26fa55

Message:

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

File:

• src/gnutls_config.c (modified) (4 diffs)

src/gnutls_config.c

@@ -26 +26 @@
 /* Default OCSP response grace time in seconds */
 #define MGS_GRACE_TIME 60
+/* Default OCSP failure timeout in seconds */
+#define MGS_FAILURE_TIMEOUT 300
 
 #ifdef APLOG_USE_MODULE
@@ -870 +872 @@
                                 "GnuTLSOCSPGraceTime"))
         sc->ocsp_grace_time = apr_time_from_sec(argint);
+    else if (!apr_strnatcasecmp(parms->directive->directive,
+                                "GnuTLSOCSPFailureTimeout"))
+        sc->ocsp_failure_timeout = apr_time_from_sec(argint);
     else
         /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
@@ -1123 +1128 @@
     sc->ocsp_mutex = NULL;
     sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
+    sc->ocsp_failure_timeout = apr_time_from_sec(MGS_FAILURE_TIMEOUT);
 
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
@@ -1183 +1189 @@
     gnutls_srvconf_assign(ocsp_response_file);
     gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
+    gnutls_srvconf_merge(ocsp_failure_timeout,
+                         apr_time_from_sec(MGS_FAILURE_TIMEOUT));
 
     gnutls_srvconf_assign(ca_list);