This patch effectively enables the ocsp auto update mechanism. If a
least one ocsp-update option is enabled in a crt-list, then the ocsp
auto update task is created. It will look into the dedicated ocsp update
tree for the next update to be updated, use the http_client to send the
ocsp request to the proper responder, validate the received ocsp
response and update the ocsp response tree before finally reinserting
the entry in the ocsp update tree (with a next update time set to
now+1H).
The main task will then sleep until another entry needs to be updated.
The task gets scheduled after config check in order to avoid trying to
update ocsp responses while configuration is still being parsed (and
certificates and actual ocsp responses are loaded).
return ERR_ALERT | ERR_FATAL;
}
+ if (ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) {
+ /* We might need to create the main ocsp update task */
+ int ret = ssl_create_ocsp_update_task(err);
+ if (ret)
+ return ret;
+ }
+
return 0;
}
return 0;
}
+static int ssl_ocsp_task_schedule()
+{
+ if (ocsp_update_task)
+ task_schedule(ocsp_update_task, now_ms);
+
+ return 0;
+}
+REGISTER_POST_CHECK(ssl_ocsp_task_schedule);
+
static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp);
static void ssl_destroy_ocsp_update_task(void)
projects / thirdparty / haproxy.git / commitdiff
