|
46 | 46 | #include "md_ocsp.h" |
47 | 47 |
|
48 | 48 | #define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH |
49 | | - |
| 49 | + |
| 50 | +/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */ |
| 51 | +#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024) |
| 52 | +/* Timeout for OCSP responses */ |
| 53 | +#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60) |
| 54 | +/* Timeout for connecting to OCSP servers */ |
| 55 | +#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30) |
| 56 | +/* |
| 57 | + * Below this throughput in bytes per second an OCSP response is regarded as |
| 58 | + * stalled. |
| 59 | + */ |
| 60 | +#define MD_OCSP_STALLING_BYTES 10 |
| 61 | +/* Maximum duration for a stalled period during an OCSP response */ |
| 62 | +#define MD_OCSP_STALLING_TIME apr_time_from_sec(30) |
| 63 | + |
50 | 64 | struct md_ocsp_reg_t { |
51 | 65 | apr_pool_t *p; |
52 | 66 | md_store_t *store; |
@@ -901,6 +915,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim |
901 | 915 |
|
902 | 916 | rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url); |
903 | 917 | if (APR_SUCCESS != rv) goto cleanup; |
| 918 | + |
| 919 | + md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN); |
| 920 | + md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT); |
| 921 | + md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT); |
| 922 | + md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES, |
| 923 | + MD_OCSP_STALLING_TIME); |
904 | 924 |
|
905 | 925 | rv = md_http_multi_perform(http, next_todo, &ctx); |
906 | 926 |
|
|
0 commit comments