MEDIUM: ssl: add 300s supported time skew on OCSP response update.

author Emeric Brun <ebrun@haproxy.com>

Thu, 19 Jun 2014 12:16:17 +0000 (14:16 +0200)

committer Willy Tarreau <w@1wt.eu>

Thu, 19 Jun 2014 12:37:30 +0000 (14:37 +0200)
author Emeric Brun <ebrun@haproxy.com>
Thu, 19 Jun 2014 12:16:17 +0000 (14:16 +0200)
committer Willy Tarreau <w@1wt.eu>
Thu, 19 Jun 2014 12:37:30 +0000 (14:37 +0200)
diff --git a/include/common/defaults.h b/include/common/defaults.h

index 0d18281bac2ba209e13da50ec1d5571a6a16e4fd..c53db087cf57edbe9e0a59fa69982c552d49c1fc 100644 (file)
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -235,4 +235,7 @@
  #define OCSP_MAX_CERTID_ASN1_LENGTH 128
  #endif
  
+#ifndef OCSP_MAX_RESPONSE_TIME_SKEW
+#define OCSP_MAX_RESPONSE_TIME_SKEW 300
+#endif
  #endif /* _COMMON_DEFAULTS_H */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index e0be9cc7887fcf049826af35635db6cd07ed5985..ad4b1caaa3544e475383f3428f5e746fbf582b2b 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -179,7 +179,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
                 goto out;
         }
  
-       rc = OCSP_check_validity(thisupd, nextupd, 0, -1);
+       rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
         if (!rc) {
                 memprintf(err, "OCSP single response: no longer valid.");
                 goto out;
author	Emeric Brun <ebrun@haproxy.com>
	Thu, 19 Jun 2014 12:16:17 +0000 (14:16 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 19 Jun 2014 12:37:30 +0000 (14:37 +0200)
include/common/defaults.h		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history