From: William Lallemand Date: Tue, 30 Apr 2024 20:57:03 +0000 (+0200) Subject: MEDIUM: ssl: add ocsp-update.mindelay and ocsp-update.maxdelay X-Git-Tag: v3.0-dev12~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f18ed8d07e829aec217df6b1736dffe087ca29ba;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: add ocsp-update.mindelay and ocsp-update.maxdelay This patch deprecates tune.ssl.ocsp-update.* in favor of "ocsp-update.*". Since the ocsp-update is not really a tunable of the SSL connections. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 621eb6bd1e..b9612bb321 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1290,6 +1290,8 @@ The following keywords are supported in the "global" section : - nbthread - node - numa-cpu-mapping + - ocsp-update.maxdelay + - ocsp-update.mindelay - ocsp-update.httpproxy - ocsp-update.mode - pidfile @@ -1438,8 +1440,8 @@ The following keywords are supported in the "global" section : - tune.ssl.lifetime - tune.ssl.maxrecord - tune.ssl.ssl-ctx-cache-size - - tune.ssl.ocsp-update.maxdelay - - tune.ssl.ocsp-update.mindelay + - tune.ssl.ocsp-update.maxdelay (deprecated) + - tune.ssl.ocsp-update.mindelay (deprecated) - tune.vars.global-max-size - tune.vars.proc-max-size - tune.vars.reqres-max-size @@ -2171,12 +2173,27 @@ numa-cpu-mapping already specified, for example via the 'cpu-map' directive or the taskset utility. - ocsp-update.httpproxy
[:port] Allow to use an HTTP proxy for the OCSP updates. This only works with HTTP, HTTPS is not supported. This option will allow the OCSP updater to send absolute URI in the request to the proxy. +ocsp-update.maxdelay +tune.ssl.ocsp-update.maxdelay (deprecated) + Sets the maximum interval between two automatic updates of the same OCSP + response. This time is expressed in seconds and defaults to 3600 (1 hour). It + must be set to a higher value than "ocsp-update.mindelay". See + option "ocsp-update" for more information about the auto update mechanism. + +ocsp-update.mindelay +tune.ssl.ocsp-update.mindelay (deprecated) + Sets the minimum interval between two automatic updates of the same OCSP + response. This time is expressed in seconds and defaults to 300 (5 minutes). + It is particularly useful for OCSP response that do not have explicit + expiration times. It must be set to a lower value than + "ocsp-update.maxdelay". See option "ocsp-update" for more + information about the auto update mechanism. + ocsp-update.mode [ on | off ] Sets the default ocsp-update mode for all certificates used in the configuration. This global option can be superseded by the crt-list @@ -4020,20 +4037,6 @@ tune.ssl.ssl-ctx-cache-size dynamically is expensive, they are cached. The default cache size is set to 1000 entries. -tune.ssl.ocsp-update.maxdelay - Sets the maximum interval between two automatic updates of the same OCSP - response. This time is expressed in seconds and defaults to 3600 (1 hour). It - must be set to a higher value than "tune.ssl.ocsp-update.mindelay". See - option "ocsp-update" for more information about the auto update mechanism. - -tune.ssl.ocsp-update.mindelay - Sets the minimum interval between two automatic updates of the same OCSP - response. This time is expressed in seconds and defaults to 300 (5 minutes). - It is particularly useful for OCSP response that do not have explicit - expiration times. It must be set to a lower value than - "tune.ssl.ocsp-update.maxdelay". See option "ocsp-update" for more - information about the auto update mechanism. - tune.stick-counters Sets the number of stick-counters that may be tracked at the same time by a connection or a request via "track-sc*" actions in "tcp-request" or diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 8214fe6e18..0c399cb0fc 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -2023,7 +2023,9 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws); static struct cfg_kw_list cfg_kws = {ILH, { #ifndef OPENSSL_NO_OCSP { CFG_GLOBAL, "tune.ssl.ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay }, + { CFG_GLOBAL, "ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay }, { CFG_GLOBAL, "tune.ssl.ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay }, + { CFG_GLOBAL, "ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay }, { CFG_GLOBAL, "ocsp-update.mode", ssl_parse_global_ocsp_update_mode }, { CFG_GLOBAL, "ocsp-update.httpproxy", ocsp_update_parse_global_http_proxy }, #endif