From: Emeric Brun <ebrun@haproxy.com>
Date: Thu, 19 Jun 2014 12:16:17 +0000 (+0200)
Subject: MEDIUM: ssl: add 300s supported time skew on OCSP response update.
X-Git-Tag: v1.5.0~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8b27b6c681720a6ef36eeaa1de89da1adc013e7;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: add 300s supported time skew on OCSP response update.

OCSP_MAX_RESPONSE_TIME_SKEW can be set to a different value at
compilation (default is 300 seconds).
---

diff --git a/include/common/defaults.h b/include/common/defaults.h
index 0d18281bac..c53db087cf 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -235,4 +235,7 @@
 #define OCSP_MAX_CERTID_ASN1_LENGTH 128
 #endif
 
+#ifndef OCSP_MAX_RESPONSE_TIME_SKEW
+#define OCSP_MAX_RESPONSE_TIME_SKEW 300
+#endif
 #endif /* _COMMON_DEFAULTS_H */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e0be9cc788..ad4b1caaa3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -179,7 +179,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 		goto out;
 	}
 
-	rc = OCSP_check_validity(thisupd, nextupd, 0, -1);
+	rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
 	if (!rc) {
 		memprintf(err, "OCSP single response: no longer valid.");
 		goto out;