<div dir="ltr"><div><div>In some cases we need to vary period after OCSP response will be refreshed.<br></div>By default it was hardcoded to 3600 sec. This directive allows to change it via config.<br></div><br>Also, there were some kind of bursts when all the cluster nodes and nginx workers go to update their OCSP staples - random delay within 180 sec was added to fix it.<br>
<div><div><div><div><br># HG changeset patch<br># User Eldar Zaitov <<a href="mailto:eldar@kyprizel.net">eldar@kyprizel.net</a>><br># Date 1389455065 -14400<br># Node ID c883560fbb43a249cc19bb9eaea7c30ad486f84c<br># Parent  4aa64f6950313311e0d322a2af1788edeb7f036c<br>
SSL: ssl_stapling_valid directive.<br><br>Sets caching time for stapled OCSP response.<br>Example:<br><br>   ssl_stapling_valid 1h;<br><br>Default: 1 hour.<br><br>diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl.h<br>
--- a/src/event/ngx_event_openssl.h Sat Jan 04 03:32:22 2014 +0400<br>+++ b/src/event/ngx_event_openssl.h Sat Jan 11 19:44:25 2014 +0400<br>@@ -119,7 +119,8 @@<br>     ngx_str_t *cert, ngx_int_t depth);<br> ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);<br>
 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,<br>-    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);<br>+    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify,<br>+    time_t cache_time);<br>
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,<br>     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);<br> RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,<br>diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl_stapling.c<br>
--- a/src/event/ngx_event_openssl_stapling.c    Sat Jan 04 03:32:22 2014 +0400<br>+++ b/src/event/ngx_event_openssl_stapling.c    Sat Jan 11 19:44:25 2014 +0400<br>@@ -32,6 +32,7 @@<br>     X509                        *issuer;<br>
 <br>     time_t                       valid;<br>+    time_t                       cache_time;<br> <br>     unsigned                     verify:1;<br>     unsigned                     loading:1;<br>@@ -116,7 +117,7 @@<br>
 <br> ngx_int_t<br> ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,<br>-    ngx_str_t *responder, ngx_uint_t verify)<br>+    ngx_str_t *responder, ngx_uint_t verify, time_t cache_time)<br> {<br>     ngx_int_t                  rc;<br>
     ngx_pool_cleanup_t        *cln;<br>@@ -146,6 +147,7 @@<br>     staple->ssl_ctx = ssl->ctx;<br>     staple->timeout = 60000;<br>     staple->verify = verify;<br>+    staple->cache_time = cache_time;<br>
 <br>     if (file->len) {<br>         /* use OCSP response from the file */<br>@@ -656,7 +658,11 @@<br> done:<br> <br>     staple->loading = 0;<br>-    staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */<br>
+<br>+    /* ssl_stapling_valid */<br>+<br>+    staple->valid = ngx_time() + staple->cache_time<br>+                               + (ngx_random() % 180);<br> <br>     ngx_ssl_ocsp_done(ctx);<br>     return;<br>diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.c<br>
--- a/src/http/modules/ngx_http_ssl_module.c    Sat Jan 04 03:32:22 2014 +0400<br>+++ b/src/http/modules/ngx_http_ssl_module.c    Sat Jan 11 19:44:25 2014 +0400<br>@@ -209,6 +209,13 @@<br>       offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),<br>
       NULL },<br> <br>+    { ngx_string("ssl_stapling_valid"),<br>+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,<br>+      ngx_conf_set_sec_slot,<br>+      NGX_HTTP_SRV_CONF_OFFSET,<br>+      offsetof(ngx_http_ssl_srv_conf_t, stapling_valid),<br>
+      NULL },<br>+<br>       ngx_null_command<br> };<br> <br>@@ -439,6 +446,7 @@<br>     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;<br>     sscf->stapling = NGX_CONF_UNSET;<br>     sscf->stapling_verify = NGX_CONF_UNSET;<br>
+    sscf->stapling_valid = NGX_CONF_UNSET;<br> <br>     return sscf;<br> }<br>@@ -500,6 +508,8 @@<br>     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");<br>     ngx_conf_merge_str_value(conf->stapling_responder,<br>
                          prev->stapling_responder, "");<br>+    ngx_conf_merge_value(conf->stapling_valid,<br>+                         prev->stapling_valid, 3600);<br> <br>     conf->ssl.log = cf->log;<br>
 <br>@@ -656,7 +666,8 @@<br>     if (conf->stapling) {<br> <br>         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,<br>-                             &conf->stapling_responder, conf->stapling_verify)<br>
+                             &conf->stapling_responder, conf->stapling_verify,<br>+                             conf->stapling_valid)<br>             != NGX_OK)<br>         {<br>             return NGX_CONF_ERROR;<br>
diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.h<br>--- a/src/http/modules/ngx_http_ssl_module.h    Sat Jan 04 03:32:22 2014 +0400<br>+++ b/src/http/modules/ngx_http_ssl_module.h    Sat Jan 11 19:44:25 2014 +0400<br>
@@ -50,6 +50,7 @@<br>     ngx_flag_t                      stapling_verify;<br>     ngx_str_t                       stapling_file;<br>     ngx_str_t                       stapling_responder;<br>+    time_t                          stapling_valid;<br>
 <br>     u_char                         *file;<br>     ngx_uint_t                      line;<br><br></div></div></div></div></div>