You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marion & Christophe JAILLET <ch...@wanadoo.fr> on 2020/02/14 17:05:45 UTC
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Hi,
purely speculative, but does a:
apr_table_set(headers, "Connection", "close");
around line 812 of md_oscp.c also makes sense?
CJ
Le 14/02/2020 à 10:38, rpluem@apache.org a écrit :
> Author: rpluem
> Date: Fri Feb 14 09:38:12 2020
> New Revision: 1874007
>
> URL: http://svn.apache.org/viewvc?rev=1874007&view=rev
> Log:
> * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
> to close to indicate that we do not want to keep the HTTP connection to the
> OCSP responder alive. We don't reuse the connections currently and if the
> OCSP responder keeps the connection alive this could cause us to wait for
> keepalive timeout of the OCSP responder to timeout until we finish our
> reading of the OCSP response.
>
> PR: 64135
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874007&r1=1874006&r2=1874007&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 14 09:38:12 2020
> @@ -1,6 +1,9 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.5.1
>
> + *) mod_ssl: Do not keep connections to OCSP responders alive when doing
> + OCSP requests. PR 64135. [Ruediger Pluem]
> +
> *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
> issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
> [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1874007&r1=1874006&r2=1874007&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb 14 09:38:12 2020
> @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUE
> BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
> "Host: %s:%d\r\n"
> "Content-Type: application/ocsp-request\r\n"
> + "Connection: close\r\n"
> "Content-Length: %d\r\n"
> "\r\n",
> uri->path ? uri->path : "/",
>
>
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Posted by Giovanni Bechis <gi...@paclan.it>.
On 2/14/20 6:05 PM, Marion & Christophe JAILLET wrote:
> Hi,
>
> purely speculative, but does a:
> apr_table_set(headers, "Connection", "close");
>
> around line 812 of md_oscp.c also makes sense?
>
I think it makes absolutely sense.
Giovanni
> CJ
>
> Le 14/02/2020 à 10:38, rpluem@apache.org a écrit :
>> Author: rpluem
>> Date: Fri Feb 14 09:38:12 2020
>> New Revision: 1874007
>>
>> URL: http://svn.apache.org/viewvc?rev=1874007&view=rev
>> Log:
>> * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
>> to close to indicate that we do not want to keep the HTTP connection to the
>> OCSP responder alive. We don't reuse the connections currently and if the
>> OCSP responder keeps the connection alive this could cause us to wait for
>> keepalive timeout of the OCSP responder to timeout until we finish our
>> reading of the OCSP response.
>>
>> PR: 64135
>>
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>>
>> Modified: httpd/httpd/trunk/CHANGES
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874007&r1=1874006&r2=1874007&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
>> +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 14 09:38:12 2020
>> @@ -1,6 +1,9 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.5.1
>> + *) mod_ssl: Do not keep connections to OCSP responders alive when doing
>> + OCSP requests. PR 64135. [Ruediger Pluem]
>> +
>> *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
>> issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
>> [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1874007&r1=1874006&r2=1874007&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Fri Feb 14 09:38:12 2020
>> @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUE
>> BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
>> "Host: %s:%d\r\n"
>> "Content-Type: application/ocsp-request\r\n"
>> + "Connection: close\r\n"
>> "Content-Length: %d\r\n"
>> "\r\n",
>> uri->path ? uri->path : "/",
>>
>>
Re: svn commit: r1874007 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_util_ocsp.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 02/14/2020 06:05 PM, Marion & Christophe JAILLET wrote:
> Hi,
>
> purely speculative, but does a:
> apr_table_set(headers, "Connection", "close");
>
> around line 812 of md_oscp.c also makes sense?
In general I guess it could make sense, but I am not sure if this is the correct way to do it here, since we are not
talking HTTP on a bare socket like in mod_ssl, but using libcurl where the same effect possibly should be done differently.
Regards
Rüdiger