Changeset d6834e0 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jun 10, 2016, 9:34:08 AM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
15b22cb
Parents:
aa68232
git-author:
Thomas Klute <thomas2.klute@…> (06/10/16 09:29:57)
git-committer:
Thomas Klute <thomas2.klute@…> (06/10/16 09:34:08)
Message:

OCSP refresh mutex: Prevent parallel requests

Add a global mutex which a thread must hold before updating a cached
OCSP response. This avoids two threads updating the same response in
parallel. The impact of parallel updates may be small with the
experimental file-based mechanism, but an extra OCSP request over HTTP
would add a lot of overhead.

Note that the new 'gnutls-ocsp' mutex is a global mutex, not one per
virtual host, because a mutex must be registered in pre_config for the
Mutex directive to work.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    raa68232 rd6834e0  
    127127
    128128    ap_mutex_register(pconf, MGS_CACHE_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
     129    ap_mutex_register(pconf, MGS_OCSP_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
    129130
    130131    /* Register a pool clean-up function */
     
    342343    }
    343344
     345    if (sc_base->ocsp_mutex == NULL)
     346    {
     347        rv = ap_global_mutex_create(&sc_base->ocsp_mutex, NULL,
     348                                    MGS_OCSP_MUTEX_NAME, NULL,
     349                                    base_server, pconf, 0);
     350        if (rv != APR_SUCCESS)
     351        {
     352            ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server,
     353                         "Failed to create mutex '" MGS_OCSP_MUTEX_NAME
     354                         "'.");
     355            return HTTP_INTERNAL_SERVER_ERROR;
     356        }
     357    }
     358
    344359    /* If GnuTLSP11Module is set, load the listed PKCS #11
    345360     * modules. Otherwise system defaults will be used. */
     
    370385    }
    371386
    372     for (s = base_server; s; s = s->next) {
     387    for (s = base_server; s; s = s->next)
     388    {
    373389        sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
    374390        sc->cache_type = sc_base->cache_type;
     
    385401        }
    386402
    387         /* init OCSP trust list if OCSP is enabled */
     403        sc->ocsp_mutex = sc_base->ocsp_mutex;
     404        /* init OCSP trust list if OCSP is enabled for this host */
    388405        if (sc->ocsp_response_file != NULL)
    389406        {
     
    522539        }
    523540    }
     541
     542    /* reinit OCSP mutex */
     543    const char *lockfile = apr_global_mutex_lockfile(sc->ocsp_mutex);
     544    rv = apr_global_mutex_child_init(&sc->ocsp_mutex, lockfile, p);
     545    if (rv != APR_SUCCESS)
     546        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
     547                     "Failed to reinit mutex '" MGS_OCSP_MUTEX_NAME "'.");
    524548
    525549    /* Block SIGPIPE Signals */
Note: See TracChangeset for help on using the changeset viewer.