From 9f92c2a085ffe586fd73acfff5394749d9629672 Mon Sep 17 00:00:00 2001 From: "Richter, Adam (Volkswagen Group Services Slovakia)" Date: Fri, 11 Jul 2025 10:05:16 +0200 Subject: [PATCH 1/2] add OCSP cache invalidation --- rootfs/etc/nginx/lua/certificate.lua | 35 +++++++++++++++++++++------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index 1b3d3b21fa..5e9b3e7792 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -148,8 +148,8 @@ local function fetch_and_cache_ocsp_response(uid, der_cert) return end - local ok - ok, err = ocsp.validate_ocsp_response(ocsp_response, der_cert) + local ok, error_or_next_update + ok, error_or_next_update = ocsp.validate_ocsp_response(ocsp_response, der_cert) if not ok then -- We are doing the same thing as vanilla Nginx here - if response status is not "good" -- we do not use it - no stapling. @@ -173,14 +173,33 @@ local function fetch_and_cache_ocsp_response(uid, der_cert) -- the OCSP responder. Imagine OCSP responder is having an intermittent issue -- and we keep sending request. It might make things worse for the responder. - ngx.log(ngx.NOTICE, "OCSP response validation failed: ", err) + ngx.log(ngx.NOTICE, "OCSP response validation failed: ", error_or_next_update) return end - -- Normally this should be (nextUpdate - thisUpdate), but Lua API does not expose - -- those attributes. - local expiry = 3600 * 24 * 3 - local success, forcible + local success, forcible, expiry + + -- nextUpdate field is finally accessible via Lua API through validate_ocsp_response(), therefore we can calculate cache invalidation precisely + if ok then + local now = ngx.now() + local grace_period = 300 + + -- handle nextUpdate field from OCSP + if error_or_next_update ~= nil then + expiry = error_or_next_update - now - grace_period + ngx.log(ngx.NOTICE, "OCSP Response cache was provided by OCSP server and is valid for: ", expiry) + + if expiry <= 0 then + ngx.log(ngx.WARN, "OCSP next_update is in the past, setting ocsp_response_cache to 0") + expiry = 0 + end + else + -- fallback to original logic if OCSP server did not provide nextUpdate field + expiry = 3600 * 24 * 3 + ngx.log(ngx.NOTICE, "OCSP did not provide nextUpdate therefore it is set to fixed value of 3 days") + end + end + success, err, forcible = ocsp_response_cache:set(uid, ocsp_response, expiry) if not success then ngx.log(ngx.ERR, "failed to cache OCSP response: ", err) @@ -273,4 +292,4 @@ function _M.call() end end -return _M +return _M \ No newline at end of file From 1d4c6d5568834838a00d3e4e642c458aeff7d157 Mon Sep 17 00:00:00 2001 From: "Richter, Adam (Volkswagen Group Services Slovakia)" Date: Fri, 11 Jul 2025 11:08:35 +0200 Subject: [PATCH 2/2] satisfy lua-lint a bit more --- rootfs/etc/nginx/lua/certificate.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index 5e9b3e7792..eefd1c7a99 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -183,7 +183,7 @@ local function fetch_and_cache_ocsp_response(uid, der_cert) if ok then local now = ngx.now() local grace_period = 300 - + -- handle nextUpdate field from OCSP if error_or_next_update ~= nil then expiry = error_or_next_update - now - grace_period @@ -195,7 +195,7 @@ local function fetch_and_cache_ocsp_response(uid, der_cert) end else -- fallback to original logic if OCSP server did not provide nextUpdate field - expiry = 3600 * 24 * 3 + expiry = 3600 * 24 * 3 ngx.log(ngx.NOTICE, "OCSP did not provide nextUpdate therefore it is set to fixed value of 3 days") end end