MEDIUM: ssl: add 300s supported time skew on OCSP response update.
OCSP_MAX_RESPONSE_TIME_SKEW can be set to a different value at
compilation (default is 300 seconds).
diff --git a/include/common/defaults.h b/include/common/defaults.h
index 0d18281..c53db08 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -235,4 +235,7 @@
#define OCSP_MAX_CERTID_ASN1_LENGTH 128
#endif
+#ifndef OCSP_MAX_RESPONSE_TIME_SKEW
+#define OCSP_MAX_RESPONSE_TIME_SKEW 300
+#endif
#endif /* _COMMON_DEFAULTS_H */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e0be9cc..ad4b1ca 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -179,7 +179,7 @@
goto out;
}
- rc = OCSP_check_validity(thisupd, nextupd, 0, -1);
+ rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
if (!rc) {
memprintf(err, "OCSP single response: no longer valid.");
goto out;