[PATCH] SSL: ssl_stapling_valid directive

Sat Jan 11 15:52:12 UTC 2014

In some cases we need to vary period after OCSP response will be refreshed.
By default it was hardcoded to 3600 sec. This directive allows to change it
via config.

Also, there were some kind of bursts when all the cluster nodes and nginx
workers go to update their OCSP staples - random delay within 180 sec was
added to fix it.

# HG changeset patch
# User Eldar Zaitov <eldar at kyprizel.net>
# Date 1389455065 -14400
# Node ID c883560fbb43a249cc19bb9eaea7c30ad486f84c
# Parent  4aa64f6950313311e0d322a2af1788edeb7f036c
SSL: ssl_stapling_valid directive.

Sets caching time for stapled OCSP response.
Example:

   ssl_stapling_valid 1h;

Default: 1 hour.

diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl.h

--- a/src/event/ngx_event_openssl.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/event/ngx_event_openssl.h Sat Jan 11 19:44:25 2014 +0400
@@ -119,7 +119,8 @@
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify,
+    time_t cache_time);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
diff -r 4aa64f695031 -r c883560fbb43 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c    Sat Jan 04 03:32:22 2014
+0400
+++ b/src/event/ngx_event_openssl_stapling.c    Sat Jan 11 19:44:25 2014
+0400
@@ -32,6 +32,7 @@
     X509                        *issuer;

     time_t                       valid;
+    time_t                       cache_time;

     unsigned                     verify:1;
     unsigned                     loading:1;
@@ -116,7 +117,7 @@

 ngx_int_t
 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
-    ngx_str_t *responder, ngx_uint_t verify)
+    ngx_str_t *responder, ngx_uint_t verify, time_t cache_time)
 {
     ngx_int_t                  rc;
     ngx_pool_cleanup_t        *cln;
@@ -146,6 +147,7 @@
     staple->ssl_ctx = ssl->ctx;
     staple->timeout = 60000;
     staple->verify = verify;
+    staple->cache_time = cache_time;

     if (file->len) {
         /* use OCSP response from the file */
@@ -656,7 +658,11 @@
 done:

     staple->loading = 0;
-    staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */
+
+    /* ssl_stapling_valid */
+
+    staple->valid = ngx_time() + staple->cache_time
+                               + (ngx_random() % 180);

     ngx_ssl_ocsp_done(ctx);
     return;
diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Sat Jan 04 03:32:22 2014
+0400
+++ b/src/http/modules/ngx_http_ssl_module.c    Sat Jan 11 19:44:25 2014
+0400
@@ -209,6 +209,13 @@
       offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
       NULL },

+    { ngx_string("ssl_stapling_valid"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_sec_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, stapling_valid),
+      NULL },
+
       ngx_null_command
 };

@@ -439,6 +446,7 @@
     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
     sscf->stapling = NGX_CONF_UNSET;
     sscf->stapling_verify = NGX_CONF_UNSET;
+    sscf->stapling_valid = NGX_CONF_UNSET;

     return sscf;
 }
@@ -500,6 +508,8 @@
     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
     ngx_conf_merge_str_value(conf->stapling_responder,
                          prev->stapling_responder, "");
+    ngx_conf_merge_value(conf->stapling_valid,
+                         prev->stapling_valid, 3600);

     conf->ssl.log = cf->log;

@@ -656,7 +666,8 @@
     if (conf->stapling) {

         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
-                             &conf->stapling_responder,
conf->stapling_verify)
+                             &conf->stapling_responder,
conf->stapling_verify,
+                             conf->stapling_valid)
             != NGX_OK)
         {
             return NGX_CONF_ERROR;
diff -r 4aa64f695031 -r c883560fbb43 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h    Sat Jan 04 03:32:22 2014
+0400
+++ b/src/http/modules/ngx_http_ssl_module.h    Sat Jan 11 19:44:25 2014
+0400
@@ -50,6 +50,7 @@
     ngx_flag_t                      stapling_verify;
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
+    time_t                          stapling_valid;

     u_char                         *file;
     ngx_uint_t                      line;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140111/5e378551/attachment.html>
