Changeset e1c094c in mod_gnutls for src


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

Location:
src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    rb26a792 re1c094c  
    869869    }
    870870    else if (!apr_strnatcasecmp(parms->directive->directive,
    871                                 "GnuTLSOCSPGraceTime"))
    872         sc->ocsp_grace_time = apr_time_from_sec(argint);
     871                                "GnuTLSOCSPCacheTimeout"))
     872        sc->ocsp_cache_time = apr_time_from_sec(argint);
    873873    else if (!apr_strnatcasecmp(parms->directive->directive,
    874874                                "GnuTLSOCSPFailureTimeout"))
     
    11301130    sc->ocsp_response_file = NULL;
    11311131    sc->ocsp_mutex = NULL;
    1132     sc->ocsp_grace_time = MGS_TIMEOUT_UNSET;
     1132    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
    11331133    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
    11341134    sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
     
    11931193    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
    11941194    gnutls_srvconf_assign(ocsp_response_file);
    1195     gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET);
     1195    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
    11961196    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
    11971197    gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
  • src/gnutls_ocsp.c

    rb26a792 re1c094c  
    663663    }
    664664
    665     apr_time_t expiry;
    666     if (check_ocsp_response(s, &resp, &expiry, nonce.size ? &nonce : NULL)
     665    apr_time_t next_update;
     666    if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
    667667        != GNUTLS_E_SUCCESS)
    668668    {
     
    676676    gnutls_free(nonce.data);
    677677
    678     /* If expiry is zero, the response does not contain a nextUpdate
    679      * field. Use the default cache timeout. */
    680     if (expiry == 0)
    681         expiry = apr_time_now() + sc->cache_timeout;
    682     /* Apply grace time otherwise. */
    683     else
    684         expiry -= sc->ocsp_grace_time;
     678    apr_time_t expiry = apr_time_now() + sc->ocsp_cache_time;
     679    /* Make sure that a response is not cached beyond its nextUpdate
     680     * time. If the variable next_update is zero, the response does
     681     * not contain a nextUpdate field. */
     682    if (next_update != 0 && next_update < expiry)
     683    {
     684        char date_str[APR_RFC822_DATE_LEN];
     685        apr_rfc822_date(date_str, next_update);
     686        ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
     687                     "OCSP response timeout restricted to nextUpdate time %s. "
     688                     "Check if GnuTLSOCSPCacheTimeout is appropriate.",
     689                     date_str);
     690        expiry = next_update;
     691    }
    685692
    686693    int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
     
    924931    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
    925932        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
    926     if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET)
    927         sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);
     933    if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
     934        sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
    928935    if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
    929936        sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
  • src/gnutls_ocsp.h

    rb26a792 re1c094c  
    2525#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
    2626
    27 /* Default OCSP response grace time in seconds */
    28 #define MGS_OCSP_GRACE_TIME 60
     27/* Default OCSP response cache timeout in seconds */
     28#define MGS_OCSP_CACHE_TIMEOUT 3600
    2929/* Default OCSP failure timeout in seconds */
    3030#define MGS_OCSP_FAILURE_TIMEOUT 300
  • src/mod_gnutls.c

    rb26a792 re1c094c  
    283283                  "of sending a request over HTTP (must be updated "
    284284                  "externally)"),
    285     AP_INIT_TAKE1("GnuTLSOCSPGraceTime", mgs_set_timeout,
     285    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
    286286                  NULL, RSRC_CONF,
    287                   "Replace cached OCSP responses this many seconds before "
    288                   "they expire"),
     287                  "Cache timeout for OCSP responses"),
    289288    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
    290289                  NULL, RSRC_CONF,
Note: See TracChangeset for help on using the changeset viewer.