[PATCH] SSL: ssl_stapling_valid directive

Maxim Dounin mdounin at mdounin.ru
Mon Jan 13 13:57:36 UTC 2014


Hello!

On Sat, Jan 11, 2014 at 07:52:12PM +0400, kyprizel wrote:

> In some cases we need to vary period after OCSP response will be refreshed.
> By default it was hardcoded to 3600 sec. This directive allows to change it
> via config.

In which "some cases"?  The directive was ommitted intentionally 
to simplify things as it seems to be good enough to have hardcoded 
1h value.

Note well that OCSP responses have their validity times available, 
and it may be a good idea to derive needed times from there 
instead of making things user-configurable.
 
> Also, there were some kind of bursts when all the cluster nodes and nginx
> workers go to update their OCSP staples - random delay within 180 sec was
> added to fix it.

This may make sense, but certainly should be a separate patch.

[...]

> @@ -32,6 +32,7 @@
>      X509                        *issuer;
> 
>      time_t                       valid;
> +    time_t                       cache_time;

I don't really like the name used.

[...]

> @@ -656,7 +658,11 @@
>  done:
> 
>      staple->loading = 0;
> -    staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */
> +
> +    /* ssl_stapling_valid */
> +
> +    staple->valid = ngx_time() + staple->cache_time
> +                               + (ngx_random() % 180);

The comment is here to indicate what the "3600" magic number 
means.  Preserving it shouldn't be needed.

[...]

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list