]> git.ipfire.org Git - thirdparty/strongswan.git/commit
projects / thirdparty / strongswan.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7189d0) | patch
revocation: Block only one thread per URL after a previous CRL fetch failed revocation-fetcher 2918/head
authorMartin Willi <martin@strongswan.org>
Wed, 29 Oct 2025 09:35:10 +0000 (10:35 +0100)
committerMartin Willi <martin@strongswan.org>
Mon, 3 Nov 2025 09:38:18 +0000 (10:38 +0100)
commit1490a3da61cbb51e0e281a6052bcce08abc0bd93
tree13be27cc4c3c30a79fe23059e83ccc6b26933a2btree | snapshot
parenta7189d0690859ac563e82487d19176b4c61b6e5acommit | diff
revocation: Block only one thread per URL after a previous CRL fetch failed

If a CRL server is unresponsive, all threads trying to fetch this CRL will
block execution. If a recent previous attempt to fetch the CRL failed, it
is likely that it will fail again. While it makes sense to retry fetching
the CRL on demand with one thread, it hardly does to block additional
threads while the first one is blocked during the fetch.

So remember the timestamp of the last CRL fetch failure per URL, and do
not block more than one thread in the CRL fetch for some time. This time
is a multiple of the configured fetch timeout, so that it works well for
any configured value. With the default configuration, a failing CRL fetch
will impact concurrent CRL fetches for the same URL for 30s.
src/libstrongswan/plugins/revocation/revocation_fetcher.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.