From: Lukas Schauer Date: Mon, 7 May 2018 01:31:43 +0000 (+0200) Subject: made ocsp refresh interval configurable X-Git-Tag: v0.6.3~16 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2a8af8fda76f3687c48fbd9d4b4733102fbeadde;p=thirdparty%2Fdehydrated.git made ocsp refresh interval configurable --- diff --git a/CHANGELOG b/CHANGELOG index bb11a68..cc2f4fd 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ## Changed -- ?? +- OCSP refresh interval is now configurable ## Added - ?? diff --git a/dehydrated b/dehydrated index c462a41..e0ce764 100755 --- a/dehydrated +++ b/dehydrated @@ -106,6 +106,7 @@ verify_config() { [[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue." fi [[ "${API}" == "auto" || "${API}" == "1" || "${API}" == "2" ]] || _exiterr "Unsupported API version defined in config: ${API}" + [[ "${OCSP_DAYS}" =~ ^[0-9]+$ ]] || _exiterr "OCSP_DAYS must be a number" } # Setup default config values, search for and load configuration files @@ -145,6 +146,7 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" OCSP_FETCH="no" + OCSP_DAYS=5 IP_VERSION= CHAINCACHE= AUTO_CLEANUP="no" @@ -1310,7 +1312,7 @@ command_sign_domains() { if [[ ! -e "${certdir}/ocsp.der" ]]; then update_ocsp="yes" - elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age 432000 2>&1 | grep -q "${cert}: good"); then + elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then update_ocsp="yes" fi diff --git a/docs/examples/config b/docs/examples/config index 665704d..cd24afb 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -106,6 +106,9 @@ # Fetch OCSP responses (default: no) #OCSP_FETCH="no" +# OCSP refresh interval (default: 5 days) +#OCSP_DAYS=5 + # Issuer chain cache directory (default: $BASEDIR/chains) #CHAINCACHE="${BASEDIR}/chains"