Changeset e1c094c in mod_gnutls

Timestamp:

Nov 14, 2016, 2:12:53 PM (6 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream

Children:

9a18e30

Parents:

b26a792

Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

• The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.

• The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

Files:

• doc/mod_gnutls_manual.mdwn (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_ocsp.c (modified) (3 diffs)
• src/gnutls_ocsp.h (modified) (1 diff)
• src/mod_gnutls.c (modified) (1 diff)
• test/tests/27_OCSP_server/apache.conf (modified) (1 diff)

doc/mod_gnutls_manual.mdwn

@@ -597 +597 @@
 support nonces.
 
-### GnuTLSOCSPGraceTime
-
-Replace cached OCSP responses this many seconds before they expire.
-
-    GnuTLSOCSPGraceTime SECONDS
-
-Default: *60*\
-Context: server config, virtual host
-
-A cached OCSP response should be updated a little before it expires to
-account for potential clock skew between server, CA, and client, as
-well as transmission time in corner cases. Note that a response
-without a `nextUpdate` field will be subject to the default cache
-lifetime.
+### GnuTLSOCSPCacheTimeout
+
+Cache timeout for OCSP responses
+
+    GnuTLSOCSPCacheTimeout SECONDS
+
+Default: *3600*\
+Context: server config, virtual host
+
+Cached OCSP responses will be refreshed after the configured number of
+seconds. How long this timeout should reasonably be depends on your
+CA, namely how often its OCSP responder is updated and how long
+responses are valid. Note that a response will not be cached beyond
+its lifetime as denoted in the `nextUpdate` field of the response.
 
 ### GnuTLSOCSPFailureTimeout

include/mod_gnutls.h.in

@@ -222 +222 @@
     /* Mutex to prevent parallel OCSP requests */
     apr_global_mutex_t *ocsp_mutex;
-    /* Cached OCSP responses expire this long before their validity
-     * period expires. This way mod_gnutls does not staple barely
-     * valid responses. */
-    apr_interval_time_t ocsp_grace_time;
+    /* Cache timeout for OCSP responses. Note that the nextUpdate
+     * field of the response takes precedence if shorter. */
+    apr_interval_time_t ocsp_cache_time;
     /* If an OCSP request fails wait this long before trying again. */
     apr_interval_time_t ocsp_failure_timeout;

src/gnutls_config.c

@@ -869 +869 @@
     }
     else if (!apr_strnatcasecmp(parms->directive->directive,
-                                "GnuTLSOCSPGraceTime"))
-        sc->ocsp_grace_time = apr_time_from_sec(argint);
+                                "GnuTLSOCSPCacheTimeout"))
+        sc->ocsp_cache_time = apr_time_from_sec(argint);
     else if (!apr_strnatcasecmp(parms->directive->directive,
                                 "GnuTLSOCSPFailureTimeout"))
@@ -1130 +1130 @@
     sc->ocsp_response_file = NULL;
     sc->ocsp_mutex = NULL;
-    sc->ocsp_grace_time = MGS_TIMEOUT_UNSET;
+    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
     sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
     sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
@@ -1193 +1193 @@
     gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_assign(ocsp_response_file);
-    gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET);
+    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
     gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);

src/gnutls_ocsp.c

@@ -663 +663 @@
     }
 
-    apr_time_t expiry;
-    if (check_ocsp_response(s, &resp, &expiry, nonce.size ? &nonce : NULL)
+    apr_time_t next_update;
+    if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
         != GNUTLS_E_SUCCESS)
     {
@@ -676 +676 @@
     gnutls_free(nonce.data);
 
-    /* If expiry is zero, the response does not contain a nextUpdate
-     * field. Use the default cache timeout. */
-    if (expiry == 0)
-        expiry = apr_time_now() + sc->cache_timeout;
-    /* Apply grace time otherwise. */
-    else
-        expiry -= sc->ocsp_grace_time;
+    apr_time_t expiry = apr_time_now() + sc->ocsp_cache_time;
+    /* Make sure that a response is not cached beyond its nextUpdate
+     * time. If the variable next_update is zero, the response does
+     * not contain a nextUpdate field. */
+    if (next_update != 0 && next_update < expiry)
+    {
+        char date_str[APR_RFC822_DATE_LEN];
+        apr_rfc822_date(date_str, next_update);
+        ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
+                     "OCSP response timeout restricted to nextUpdate time %s. "
+                     "Check if GnuTLSOCSPCacheTimeout is appropriate.",
+                     date_str);
+        expiry = next_update;
+    }
 
     int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
@@ -924 +931 @@
     if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
         sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
-    if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET)
-        sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);
+    if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
+        sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
     if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
         sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);

src/gnutls_ocsp.h

@@ -25 +25 @@
 #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
 
-/* Default OCSP response grace time in seconds */
-#define MGS_OCSP_GRACE_TIME 60
+/* Default OCSP response cache timeout in seconds */
+#define MGS_OCSP_CACHE_TIMEOUT 3600
 /* Default OCSP failure timeout in seconds */
 #define MGS_OCSP_FAILURE_TIMEOUT 300

src/mod_gnutls.c

@@ -283 +283 @@
                   "of sending a request over HTTP (must be updated "
                   "externally)"),
-    AP_INIT_TAKE1("GnuTLSOCSPGraceTime", mgs_set_timeout,
+    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
                   NULL, RSRC_CONF,
-                  "Replace cached OCSP responses this many seconds before "
-                  "they expire"),
+                  "Cache timeout for OCSP responses"),
     AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
                   NULL, RSRC_CONF,

test/tests/27_OCSP_server/apache.conf

@@ -9 +9 @@
         GnuTLSEnable            On
         GnuTLSOCSPStapling      On
+        GnuTLSOCSPCacheTimeout  60
         GnuTLSCertificateFile   server/x509-chain.pem
         GnuTLSKeyFile           server/secret.key