Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
e081d8b5
Commit
e081d8b5
authored
8 years ago
by
Matthew Holt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Maintainence routine deletes old (expired) OCSP staple files
parent
8eefeb67
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
47 additions
and
1 deletion
+47
-1
caddytls/crypto.go
caddytls/crypto.go
+0
-1
caddytls/maintain.go
caddytls/maintain.go
+47
-0
No files found.
caddytls/crypto.go
View file @
e081d8b5
...
...
@@ -89,7 +89,6 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
// First try to load OCSP staple from storage and see if
// we can still use it.
// TODO: Use Storage interface instead of disk directly
ocspFolder
:=
filepath
.
Join
(
caddy
.
AssetsPath
(),
"ocsp"
)
ocspFileName
:=
cert
.
Names
[
0
]
+
"-"
+
fastHash
(
pemBundle
)
ocspCachePath
:=
filepath
.
Join
(
ocspFolder
,
ocspFileName
)
cachedOCSP
,
err
:=
ioutil
.
ReadFile
(
ocspCachePath
)
...
...
This diff is collapsed.
Click to expand it.
caddytls/maintain.go
View file @
e081d8b5
package
caddytls
import
(
"io/ioutil"
"log"
"os"
"path/filepath"
"time"
"github.com/mholt/caddy"
"golang.org/x/crypto/ocsp"
)
...
...
@@ -47,6 +52,7 @@ func maintainAssets(stopChan chan struct{}) {
case
<-
ocspTicker
.
C
:
log
.
Println
(
"[INFO] Scanning for stale OCSP staples"
)
UpdateOCSPStaples
()
DeleteOldStapleFiles
()
log
.
Println
(
"[INFO] Done checking OCSP staples"
)
case
<-
stopChan
:
renewalTicker
.
Stop
()
...
...
@@ -231,8 +237,49 @@ func UpdateOCSPStaples() {
certCacheMu
.
Unlock
()
}
// DeleteOldStapleFiles deletes cached OCSP staples that have expired.
// TODO: Should we do this for certificates too?
func
DeleteOldStapleFiles
()
{
files
,
err
:=
ioutil
.
ReadDir
(
ocspFolder
)
if
err
!=
nil
{
// maybe just hasn't been created yet; no big deal
return
}
for
_
,
file
:=
range
files
{
if
file
.
IsDir
()
{
// wierd, what's a folder doing inside the OCSP cache?
continue
}
stapleFile
:=
filepath
.
Join
(
ocspFolder
,
file
.
Name
())
ocspBytes
,
err
:=
ioutil
.
ReadFile
(
stapleFile
)
if
err
!=
nil
{
continue
}
resp
,
err
:=
ocsp
.
ParseResponse
(
ocspBytes
,
nil
)
if
err
!=
nil
{
// contents are invalid; delete it
err
=
os
.
Remove
(
stapleFile
)
if
err
!=
nil
{
log
.
Printf
(
"[ERROR] Purging corrupt staple file %s: %v"
,
stapleFile
,
err
)
}
}
if
time
.
Now
()
.
After
(
resp
.
NextUpdate
)
{
// response has expired; delete it
err
=
os
.
Remove
(
stapleFile
)
if
err
!=
nil
{
log
.
Printf
(
"[ERROR] Purging expired staple file %s: %v"
,
stapleFile
,
err
)
}
}
}
}
// freshOCSP returns true if resp is still fresh,
// meaning that it is not expedient to get an
// updated response from the OCSP server.
func
freshOCSP
(
resp
*
ocsp
.
Response
)
bool
{
// start checking OCSP staple about halfway through validity period for good measure
refreshTime
:=
resp
.
ThisUpdate
.
Add
(
resp
.
NextUpdate
.
Sub
(
resp
.
ThisUpdate
)
/
2
)
return
time
.
Now
()
.
Before
(
refreshTime
)
}
var
ocspFolder
=
filepath
.
Join
(
caddy
.
AssetsPath
(),
"ocsp"
)
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment