Changeset e1c094c in mod_gnutls for doc


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (13 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rb888e8b re1c094c  
    597597support nonces.
    598598
    599 ### GnuTLSOCSPGraceTime
    600 
    601 Replace cached OCSP responses this many seconds before they expire.
    602 
    603     GnuTLSOCSPGraceTime SECONDS
    604 
    605 Default: *60*\
    606 Context: server config, virtual host
    607 
    608 A cached OCSP response should be updated a little before it expires to
    609 account for potential clock skew between server, CA, and client, as
    610 well as transmission time in corner cases. Note that a response
    611 without a `nextUpdate` field will be subject to the default cache
    612 lifetime.
     599### GnuTLSOCSPCacheTimeout
     600
     601Cache timeout for OCSP responses
     602
     603    GnuTLSOCSPCacheTimeout SECONDS
     604
     605Default: *3600*\
     606Context: server config, virtual host
     607
     608Cached OCSP responses will be refreshed after the configured number of
     609seconds. How long this timeout should reasonably be depends on your
     610CA, namely how often its OCSP responder is updated and how long
     611responses are valid. Note that a response will not be cached beyond
     612its lifetime as denoted in the `nextUpdate` field of the response.
    613613
    614614### GnuTLSOCSPFailureTimeout
Note: See TracChangeset for help on using the changeset viewer.