Changeset e1c094c in mod_gnutls for src/mod_gnutls.c


Ignore:
Timestamp:
Nov 14, 2016, 2:12:53 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
9a18e30
Parents:
b26a792
Message:

Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout

Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:

  • The maximum cache lifetime is independent of any external data. The OCSP response is signed and the CA generally a trusted entity, but its policy is almost always outside the server admin's control and might change.
  • The principle is a lot simpler and thus less likely to lead to implementation or configuration errors.

Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/mod_gnutls.c

    rb26a792 re1c094c  
    283283                  "of sending a request over HTTP (must be updated "
    284284                  "externally)"),
    285     AP_INIT_TAKE1("GnuTLSOCSPGraceTime", mgs_set_timeout,
     285    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
    286286                  NULL, RSRC_CONF,
    287                   "Replace cached OCSP responses this many seconds before "
    288                   "they expire"),
     287                  "Cache timeout for OCSP responses"),
    289288    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
    290289                  NULL, RSRC_CONF,
Note: See TracChangeset for help on using the changeset viewer.