You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2020/02/14 09:38:13 UTC
svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Author: rpluem
Date: Fri Feb 14 09:38:12 2020
New Revision: 1874007
URL: http://svn.apache.org/viewvc?rev=1874007&view=rev
Log:
* modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
to close to indicate that we do not want to keep the HTTP connection to the
OCSP responder alive. We don't reuse the connections currently and if the
OCSP responder keeps the connection alive this could cause us to wait for
keepalive timeout of the OCSP responder to timeout until we finish our
reading of the OCSP response.
PR: 64135
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874007&r1=1874006&r2=1874007&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 14 09:38:12 2020
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Do not keep connections to OCSP responders alive when doing
+ OCSP requests. PR 64135. [Ruediger Pluem]
+
*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1874007&r1=1874006&r2=1874007&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb 14 09:38:12 2020
@@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUE
BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
+ "Connection: close\r\n"
"Content-Length: %d\r\n"
"\r\n",
uri->path ? uri->path : "/",
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Posted by Giovanni Bechis <gi...@paclan.it>.
On 2/14/20 6:05 PM, Marion & Christophe JAILLET wrote:
> Hi,
>
> purely speculative, but does a:
> apr_table_set(headers, "Connection", "close");
>
> around line 812 of md_oscp.c also makes sense?
>
I think it makes absolutely sense.
Giovanni
> CJ
>
> Le 14/02/2020 à 10:38, rpluem@apache.org a écrit :
>> Author: rpluem
>> Date: Fri Feb 14 09:38:12 2020
>> New Revision: 1874007
>>
>> URL: http://svn.apache.org/viewvc?rev=1874007&view=rev
>> Log:
>> * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
>> to close to indicate that we do not want to keep the HTTP connection to the
>> OCSP responder alive. We don't reuse the connections currently and if the
>> OCSP responder keeps the connection alive this could cause us to wait for
>> keepalive timeout of the OCSP responder to timeout until we finish our
>> reading of the OCSP response.
>>
>> PR: 64135
>>
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>>
>> Modified: httpd/httpd/trunk/CHANGES
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874007&r1=1874006&r2=1874007&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
>> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 14 09:38:12 2020
>> @@ -1,6 +1,9 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.5.1
>> + *) mod_ssl: Do not keep connections to OCSP responders alive when doing
>> + OCSP requests. PR 64135. [Ruediger Pluem]
>> +
>> *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
>> issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
>> [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1874007&r1=1874006&r2=1874007&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb 14 09:38:12 2020
>> @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUE
>> BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
>> "Host: %s:%d\r\n"
>> "Content-Type: application/ocsp-request\r\n"
>> + "Connection: close\r\n"
>> "Content-Length: %d\r\n"
>> "\r\n",
>> uri->path ? uri->path : "/",
>>
>>
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 02/14/2020 06:05 PM, Marion & Christophe JAILLET wrote:
> Hi,
>
> purely speculative, but does a:
> apr_table_set(headers, "Connection", "close");
>
> around line 812 of md_oscp.c also makes sense?
In general I guess it could make sense, but I am not sure if this is the correct way to do it here, since we are not
talking HTTP on a bare socket like in mod_ssl, but using libcurl where the same effect possibly should be done differently.
Regards
Rüdiger
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Posted by Marion & Christophe JAILLET <ch...@wanadoo.fr>.
Hi,
purely speculative, but does a:
apr_table_set(headers, "Connection", "close");
around line 812 of md_oscp.c also makes sense?
CJ
Le 14/02/2020 à 10:38, rpluem@apache.org a écrit :
> Author: rpluem
> Date: Fri Feb 14 09:38:12 2020
> New Revision: 1874007
>
> URL: http://svn.apache.org/viewvc?rev=1874007&view=rev
> Log:
> * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
> to close to indicate that we do not want to keep the HTTP connection to the
> OCSP responder alive. We don't reuse the connections currently and if the
> OCSP responder keeps the connection alive this could cause us to wait for
> keepalive timeout of the OCSP responder to timeout until we finish our
> reading of the OCSP response.
>
> PR: 64135
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874007&r1=1874006&r2=1874007&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 14 09:38:12 2020
> @@ -1,6 +1,9 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.5.1
>
> + *) mod_ssl: Do not keep connections to OCSP responders alive when doing
> + OCSP requests. PR 64135. [Ruediger Pluem]
> +
> *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
> issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
> [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1874007&r1=1874006&r2=1874007&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb 14 09:38:12 2020
> @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUE
> BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
> "Host: %s:%d\r\n"
> "Content-Type: application/ocsp-request\r\n"
> + "Connection: close\r\n"
> "Content-Length: %d\r\n"
> "\r\n",
> uri->path ? uri->path : "/",
>
>