Welcome! Log In Create A New Profile

[PATCH] SSL: ssl_stapling_valid directive

Forum List Message List New Topic Print View

kyprizel

January 11, 2014 10:54AM

In some cases we need to vary period after OCSP response will be refreshed.
By default it was hardcoded to 3600 sec. This directive allows to change it
via config.

Also, there were some kind of bursts when all the cluster nodes and nginx
workers go to update their OCSP staples - random delay within 180 sec was
added to fix it.

# HG changeset patch
# User Eldar Zaitov <eldar@kyprizel.net>
# Date 1389455065 -14400
# Node ID c883560fbb43a249cc19bb9eaea7c30ad486f84c
# Parent 4aa64f6950313311e0d322a2af1788edeb7f036c
SSL: ssl_stapling_valid directive.

Sets caching time for stapled OCSP response.
Example:

ssl_stapling_valid 1h;

Default: 1 hour.

diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/event/ngx_event_openssl.h Sat Jan 11 19:44:25 2014 +0400
@@ -119,7 +119,8 @@
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+ ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify,
+ time_t cache_time);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Sat Jan 04 03:32:22 2014
+0400
+++ b/src/event/ngx_event_openssl_stapling.c Sat Jan 11 19:44:25 2014
+0400
@@ -32,6 +32,7 @@
X509 *issuer;

time_t valid;
+ time_t cache_time;

unsigned verify:1;
unsigned loading:1;
@@ -116,7 +117,7 @@

ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
- ngx_str_t *responder, ngx_uint_t verify)
+ ngx_str_t *responder, ngx_uint_t verify, time_t cache_time)
{
ngx_int_t rc;
ngx_pool_cleanup_t *cln;
@@ -146,6 +147,7 @@
staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000;
staple->verify = verify;
+ staple->cache_time = cache_time;

if (file->len) {
/* use OCSP response from the file */
@@ -656,7 +658,11 @@
done:

staple->loading = 0;
- staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */
+
+ /* ssl_stapling_valid */
+
+ staple->valid = ngx_time() + staple->cache_time
+ + (ngx_random() % 180);

ngx_ssl_ocsp_done(ctx);
return;
diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Sat Jan 04 03:32:22 2014
+0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sat Jan 11 19:44:25 2014
+0400
@@ -209,6 +209,13 @@
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
NULL },

+ { ngx_string("ssl_stapling_valid"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_sec_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_valid),
+ NULL },
+
ngx_null_command
};

@@ -439,6 +446,7 @@
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->stapling_valid = NGX_CONF_UNSET;

return sscf;
}
@@ -500,6 +508,8 @@
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
+ ngx_conf_merge_value(conf->stapling_valid,
+ prev->stapling_valid, 3600);

conf->ssl.log = cf->log;

@@ -656,7 +666,8 @@
if (conf->stapling) {

if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
- &conf->stapling_responder,
conf->stapling_verify)
+ &conf->stapling_responder,
conf->stapling_verify,
+ conf->stapling_valid)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Sat Jan 04 03:32:22 2014
+0400
+++ b/src/http/modules/ngx_http_ssl_module.h Sat Jan 11 19:44:25 2014
+0400
@@ -50,6 +50,7 @@
ngx_flag_t stapling_verify;
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
+ time_t stapling_valid;

u_char *file;
ngx_uint_t line;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: ssl_stapling_valid directive	kyprizel	789	January 11, 2014 10:54AM
Re: [PATCH] SSL: ssl_stapling_valid directive	Maxim Dounin	333	January 13, 2014 08:58AM
Re: [PATCH] SSL: ssl_stapling_valid directive	kyprizel	351	January 13, 2014 09:10AM
Re: [PATCH] SSL: ssl_stapling_valid directive	Maxim Dounin	327	January 13, 2014 09:52AM
Re: [PATCH] SSL: ssl_stapling_valid directive	kyprizel	291	January 13, 2014 10:06AM
Re: [PATCH] SSL: ssl_stapling_valid directive	Maxim Dounin	344	January 13, 2014 10:44AM
Re: [PATCH] SSL: ssl_stapling_valid directive	kyprizel	311	January 13, 2014 10:46AM
Re: [PATCH] SSL: ssl_stapling_valid directive	Maxim Dounin	284	January 13, 2014 11:14AM
Re: [PATCH] SSL: ssl_stapling_valid directive	kyprizel	303	January 13, 2014 11:24AM
Re: [PATCH] SSL: ssl_stapling_valid directive	Maxim Dounin	309	January 13, 2014 01:26PM
Re: [PATCH] SSL: ssl_stapling_valid directive	kyprizel	334	January 14, 2014 02:28AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 119

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018