Changeset e1c094c in mod_gnutls for include


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (13 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rb888e8b re1c094c  
    222222    /* Mutex to prevent parallel OCSP requests */
    223223    apr_global_mutex_t *ocsp_mutex;
    224     /* Cached OCSP responses expire this long before their validity
    225      * period expires. This way mod_gnutls does not staple barely
    226      * valid responses. */
    227     apr_interval_time_t ocsp_grace_time;
     224    /* Cache timeout for OCSP responses. Note that the nextUpdate
     225     * field of the response takes precedence if shorter. */
     226    apr_interval_time_t ocsp_cache_time;
    228227    /* If an OCSP request fails wait this long before trying again. */
    229228    apr_interval_time_t ocsp_failure_timeout;
Note: See TracChangeset for help on using the changeset viewer.