From 7e1a62e2b423b7aa698ec4fc9ca7fabbdf75ccd1 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 28 Feb 2023 17:46:27 +0100 Subject: [PATCH] MINOR: ssl: Increment OCSP update replay delay in case of failure In case of successive OCSP update errors for a given OCSP response, the retry delay will be multiplied by 2 for every new failure in order to avoid retrying too often to update responses for which the responder is unresponsive (for instance). The maximum delay will still be taken into account so the OCSP update requests will wtill be sent at least every hour. --- src/ssl_ocsp.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 54b7cca34..d3e028a12 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -908,6 +908,8 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp) */ ssl_ocsp_set_next_update(ocsp); + ocsp->fail_count = 0; + HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); eb64_insert(&ocsp_update_tree, &ocsp->next_update); HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); @@ -924,13 +926,27 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp) */ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp) { - /* Set next_update based on current time and the various OCSP + int replay_delay = 0; + /* + * Set next_update based on current time and the various OCSP * minimum/maximum update times. */ ssl_ocsp_set_next_update(ocsp); - if (ocsp->next_update.key < now.tv_sec + SSL_OCSP_HTTP_ERR_REPLAY) - ocsp->next_update.key = now.tv_sec + SSL_OCSP_HTTP_ERR_REPLAY; + ++ocsp->fail_count; + + /* + * The replay delay will be increased for every consecutive update + * failure, up to the SSL_OCSP_UPDATE_DELAY_MAX delay. It will ensure + * that the replay delay will be one minute for the first failure and + * will be multiplied by 2 for every subsequent failures, while still + * being at most 1 hour (with the current default values). + */ + replay_delay = MIN(SSL_OCSP_HTTP_ERR_REPLAY * (1 << ocsp->fail_count), + SSL_OCSP_UPDATE_DELAY_MAX); + + if (ocsp->next_update.key < now.tv_sec + replay_delay) + ocsp->next_update.key = now.tv_sec + replay_delay; HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); eb64_insert(&ocsp_update_tree, &ocsp->next_update);