rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2026-06-19 14:02:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

ossl: avoid caching OCSP responses past nextUpdate

Browse Source
This commit is contained in:
Rainer Gerhards 2026-05-26 09:48:47 +02:00
parent 492c929298
commit 95549de027
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
runtime/net_ossl.c
View File

@ -1761,6 +1761,7 @@ static int ocsp_check_validate_response_and_cert(OCSP_RESPONSE *rsp,
/* Store result in cache */
char *cache_key = ocsp_make_cache_key(cert, issuer);
if (cache_key) {
int should_cache = 1;
time_t cache_ttl = OCSP_CACHE_DEFAULT_TTL;
/* Use nextUpdate if available for more accurate cache expiry */
if (nextupd) {
@ -1771,12 +1772,19 @@ static int ocsp_check_validate_response_and_cert(OCSP_RESPONSE *rsp,
time_t seconds_until_expiry = (pday * 86400) + psec;
if (seconds_until_expiry > 0) {
cache_ttl = seconds_until_expiry;
} else {
/* avoid caching stale responses accepted only via OCSP leeway */
should_cache = 0;
}
} else {
dbgprintf("OCSP: ASN1_TIME_diff() failed, using default TTL\n");
}
}
ocsp_cache_store(cache_key, status, cache_ttl);
if (should_cache) {
ocsp_cache_store(cache_key, status, cache_ttl);
} else {
dbgprintf("OCSP: nextUpdate is not in the future, skipping cache store\n");
}
free(cache_key);
}