Changeset e1c094c in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    rb26a792 re1c094c  
    869869    }
    870870    else if (!apr_strnatcasecmp(parms->directive->directive,
    871                                 "GnuTLSOCSPGraceTime"))
    872         sc->ocsp_grace_time = apr_time_from_sec(argint);
     871                                "GnuTLSOCSPCacheTimeout"))
     872        sc->ocsp_cache_time = apr_time_from_sec(argint);
    873873    else if (!apr_strnatcasecmp(parms->directive->directive,
    874874                                "GnuTLSOCSPFailureTimeout"))
     
    11301130    sc->ocsp_response_file = NULL;
    11311131    sc->ocsp_mutex = NULL;
    1132     sc->ocsp_grace_time = MGS_TIMEOUT_UNSET;
     1132    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
    11331133    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
    11341134    sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
     
    11931193    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
    11941194    gnutls_srvconf_assign(ocsp_response_file);
    1195     gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET);
     1195    gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
    11961196    gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
    11971197    gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
Note: See TracChangeset for help on using the changeset viewer.