From bdd84c5ffb66a772a1713668889f25ce9d3a29d0 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Thu, 12 Jan 2023 09:49:08 +0100 Subject: [PATCH] BUG/MINOR: ssl: OCSP minimum update threshold not properly set An arbitrary 5 minutes minimum interval between two updates of the same OCSP response is defined but it was not properly used when inserting entries in the update tree. This patch does not need to be backported. --- src/ssl_ocsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 017f01837..53afaae86 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -869,7 +869,8 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp) * updated more than once every 5 minutes in order to avoid continuous * update of the same response. */ if (b_data(&ocsp->response)) - ocsp->next_update.key = MAX(ocsp->next_update.key, SSL_OCSP_UPDATE_DELAY_MIN); + ocsp->next_update.key = MAX(ocsp->next_update.key, + now.tv_sec + SSL_OCSP_UPDATE_DELAY_MIN); HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); eb64_insert(&ocsp_update_tree, &ocsp->next_update);