Changeset e1c094c in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_ocsp.c

    rb26a792 re1c094c  
    663663    }
    664664
    665     apr_time_t expiry;
    666     if (check_ocsp_response(s, &resp, &expiry, nonce.size ? &nonce : NULL)
     665    apr_time_t next_update;
     666    if (check_ocsp_response(s, &resp, &next_update, nonce.size ? &nonce : NULL)
    667667        != GNUTLS_E_SUCCESS)
    668668    {
     
    676676    gnutls_free(nonce.data);
    677677
    678     /* If expiry is zero, the response does not contain a nextUpdate
    679      * field. Use the default cache timeout. */
    680     if (expiry == 0)
    681         expiry = apr_time_now() + sc->cache_timeout;
    682     /* Apply grace time otherwise. */
    683     else
    684         expiry -= sc->ocsp_grace_time;
     678    apr_time_t expiry = apr_time_now() + sc->ocsp_cache_time;
     679    /* Make sure that a response is not cached beyond its nextUpdate
     680     * time. If the variable next_update is zero, the response does
     681     * not contain a nextUpdate field. */
     682    if (next_update != 0 && next_update < expiry)
     683    {
     684        char date_str[APR_RFC822_DATE_LEN];
     685        apr_rfc822_date(date_str, next_update);
     686        ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s,
     687                     "OCSP response timeout restricted to nextUpdate time %s. "
     688                     "Check if GnuTLSOCSPCacheTimeout is appropriate.",
     689                     date_str);
     690        expiry = next_update;
     691    }
    685692
    686693    int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
     
    924931    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
    925932        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
    926     if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET)
    927         sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);
     933    if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
     934        sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
    928935    if (sc->ocsp_failure_timeout == MGS_TIMEOUT_UNSET)
    929936        sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT);
Note: See TracChangeset for help on using the changeset viewer.