[PATCH] SSL: ssl_stapling_valid directive
Maxim Dounin
mdounin at mdounin.ru
Mon Jan 13 13:57:36 UTC 2014
Hello!
On Sat, Jan 11, 2014 at 07:52:12PM +0400, kyprizel wrote:
> In some cases we need to vary period after OCSP response will be refreshed.
> By default it was hardcoded to 3600 sec. This directive allows to change it
> via config.
In which "some cases"? The directive was ommitted intentionally
to simplify things as it seems to be good enough to have hardcoded
1h value.
Note well that OCSP responses have their validity times available,
and it may be a good idea to derive needed times from there
instead of making things user-configurable.
> Also, there were some kind of bursts when all the cluster nodes and nginx
> workers go to update their OCSP staples - random delay within 180 sec was
> added to fix it.
This may make sense, but certainly should be a separate patch.
[...]
> @@ -32,6 +32,7 @@
> X509 *issuer;
>
> time_t valid;
> + time_t cache_time;
I don't really like the name used.
[...]
> @@ -656,7 +658,11 @@
> done:
>
> staple->loading = 0;
> - staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */
> +
> + /* ssl_stapling_valid */
> +
> + staple->valid = ngx_time() + staple->cache_time
> + + (ngx_random() % 180);
The comment is here to indicate what the "3600" magic number
means. Preserving it shouldn't be needed.
[...]
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list