]> git.ipfire.org Git - thirdparty/dehydrated.git/commitdiff
projects / thirdparty / dehydrated.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9165cfd)
made ocsp refresh interval configurable
authorLukas Schauer <lukas@schauer.so>
Mon, 7 May 2018 01:31:43 +0000 (03:31 +0200)
committerLukas Schauer <lukas@schauer.so>
Mon, 7 May 2018 01:31:43 +0000 (03:31 +0200)
CHANGELOG patch | blob | blame | history
dehydrated patch | blob | blame | history
docs/examples/config patch | blob | blame | history

diff --git a/CHANGELOG b/CHANGELOG
index bb11a68766ba55c7ba1bb3041470f206501fd3f8..cc2f4fd8ebfb62c391abec7e5957f182f84ab54d 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated
 
 ## [x.x.x] - xxxx-xx-xx
 ## Changed
-- ??
+- OCSP refresh interval is now configurable
 
 ## Added
 - ??
diff --git a/dehydrated b/dehydrated
index c462a419840732fa8e529f8d6d9dea0add164825..e0ce7646cfb92619ab3ca53f0420ebc826649e70 100755 (executable)
--- a/dehydrated
+++ b/dehydrated
@@ -106,6 +106,7 @@ verify_config() {
     [[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue."
   fi
   [[ "${API}" == "auto" || "${API}" == "1" || "${API}" == "2" ]] || _exiterr "Unsupported API version defined in config: ${API}"
+  [[ "${OCSP_DAYS}" =~ ^[0-9]+$ ]] || _exiterr "OCSP_DAYS must be a number"
 }
 
 # Setup default config values, search for and load configuration files
@@ -145,6 +146,7 @@ load_config() {
   LOCKFILE=
   OCSP_MUST_STAPLE="no"
   OCSP_FETCH="no"
+  OCSP_DAYS=5
   IP_VERSION=
   CHAINCACHE=
   AUTO_CLEANUP="no"
@@ -1310,7 +1312,7 @@ command_sign_domains() {
 
       if [[ ! -e "${certdir}/ocsp.der" ]]; then
         update_ocsp="yes"
-      elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age 432000 2>&1 | grep -q "${cert}: good"); then
+      elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then
         update_ocsp="yes"
       fi
 
diff --git a/docs/examples/config b/docs/examples/config
index 665704d89f11ce9677acd10677ea53381cf9b86a..cd24afb69003ae06992efe6974d67e38be415ec6 100644 (file)
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -106,6 +106,9 @@
 # Fetch OCSP responses (default: no)
 #OCSP_FETCH="no"
 
+# OCSP refresh interval (default: 5 days)
+#OCSP_DAYS=5
+
 # Issuer chain cache directory (default: $BASEDIR/chains)
 #CHAINCACHE="${BASEDIR}/chains"
 
Mirror of https://github.com/dehydrated-io/dehydrated.git