/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
/* mod_watchdog invoked us as a single thread inside the whole server (on this machine). * This might be a repeated run inside the same child (mod_watchdog keeps affinity as * long as the child lives) or another/new child.
*/ switch (state) { case AP_WATCHDOG_STATE_STARTING:
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, octx->s, APLOGNO(10197) "md ocsp watchdog start, ocsp stapling %d certificates",
(int)md_ocsp_count(octx->mc->ocsp)); break;
/* Process all drive jobs. They will update their next_run property * and we schedule ourself at the earliest of all. A job may specify 0 * as next_run to indicate that it wants to participate in the normal
* regular runs. */
next_run = next_run_default();
if (!wd_get_instance || !wd_register_callback || !wd_set_interval) {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(10201) "mod_watchdog is required for OCSP stapling"); return APR_EGENERAL;
}
/* We want our own pool with own allocator to keep data across watchdog invocations. * Since we'll run in a single watchdog thread, using our own allocator will prevent
* any confusion in the parent pool. */
apr_allocator_create(&allocator);
apr_allocator_max_free_set(allocator, 1);
rv = apr_pool_create_ex(&octxp, p, NULL, allocator); if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10205) "md_ocsp_watchdog: create pool"); return rv;
}
apr_allocator_owner_set(allocator, octxp);
apr_pool_tag(octxp, "md_ocsp_watchdog");
/* Time for some house keeping, before the server goes live (again): * - we store OCSP responses for each certificate individually by its SHA-1 id * - this means, as long as certificate do not change, the number of response * files remains stable. * - But when a certificate changes (is replaced), the response is obsolete * - we do not get notified when a certificate is no longer used. An admin * might just reconfigure or change the content of a file (backup/restore etc.) * - also, certificates might be added by some openssl config commands or other * modules that we do not immediately see right at startup. We cannot assume * that any OCSP response we cannot relate to a certificate RIGHT NOW, is no * longer needed. * - since the response files are relatively small, we have no problem with * keeping them around for a while. We just do not want an ever growing store. * - The simplest and effective way seems to be to just remove files older * a certain amount of time. Take a 7 day default and let the admin configure * it for very special setups.
*/
ocsp_remove_old_responses(mc, octx->p);
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
