mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-10 09:07:02 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: add 300s supported time skew on OCSP response update.

Browse Source 
OCSP_MAX_RESPONSE_TIME_SKEW can be set to a different value at
compilation (default is 300 seconds).
This commit is contained in:
Emeric Brun 2014-06-19 14:16:17 +02:00 committed by Willy Tarreau
parent af4ef741e9
commit c8b27b6c68
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/common/defaults.h
View File

@ -235,4 +235,7 @@
#define OCSP_MAX_CERTID_ASN1_LENGTH 128 #define OCSP_MAX_CERTID_ASN1_LENGTH 128
#endif #endif
#ifndef OCSP_MAX_RESPONSE_TIME_SKEW
#define OCSP_MAX_RESPONSE_TIME_SKEW 300
#endif
#endif /* _COMMON_DEFAULTS_H */ #endif /* _COMMON_DEFAULTS_H */

2
src/ssl_sock.c
View File

@ -179,7 +179,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
goto out; goto out;
} }
rc = OCSP_check_validity(thisupd, nextupd, 0, -1); rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
if (!rc) { if (!rc) {
memprintf(err, "OCSP single response: no longer valid."); memprintf(err, "OCSP single response: no longer valid.");
goto out; goto out;