Changeset c6dda6d in mod_gnutls for src/mod_gnutls.c


Ignore:
Timestamp:
Oct 21, 2016, 6:40:02 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
333bbc7
Parents:
d26fa55
Message:

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/mod_gnutls.c

    rd26fa55 rc6dda6d  
    284284                  "EXPERIMENTAL: Replace cached OCSP responses this many "
    285285                  "seconds before they expire"),
     286    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
     287                  NULL, RSRC_CONF,
     288                  "EXPERIMENTAL: Wait this many seconds before retrying a "
     289                  "failed OCSP request"),
    286290#ifdef __clang__
    287291    /* Workaround for this clang bug:
Note: See TracChangeset for help on using the changeset viewer.