diff options
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r-- | lib/vtls/openssl.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 4b2aa5534..ece8a338f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3164,12 +3164,18 @@ static CURLcode populate_x509_store(struct Curl_easy *data, } #if defined(HAVE_SSL_X509_STORE_SHARE) -#define X509_STORE_EXPIRY_MS (24 * 60 * 60 * 1000) /* 24 hours */ -static bool cached_x509_store_expired(const struct multi_ssl_backend_data *mb) +static bool cached_x509_store_expired(const struct Curl_easy *data, + const struct multi_ssl_backend_data *mb) { + const struct ssl_general_config *cfg = &data->set.general_ssl; struct curltime now = Curl_now(); + timediff_t elapsed_ms = Curl_timediff(now, mb->time); + timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000; - return Curl_timediff(now, mb->time) >= X509_STORE_EXPIRY_MS; + if(timeout_ms < 0) + return false; + + return elapsed_ms >= timeout_ms; } static bool cached_x509_store_different( @@ -3191,7 +3197,7 @@ static X509_STORE *get_cached_x509_store(const struct Curl_easy *data, if(multi && multi->ssl_backend_data && multi->ssl_backend_data->store && - !cached_x509_store_expired(multi->ssl_backend_data) && + !cached_x509_store_expired(data, multi->ssl_backend_data) && !cached_x509_store_different(multi->ssl_backend_data, conn)) { store = multi->ssl_backend_data->store; } @@ -3244,17 +3250,20 @@ static CURLcode set_up_x509_store(struct Curl_easy *data, struct ssl_backend_data *backend) { CURLcode result = CURLE_OK; - X509_STORE *cached_store = get_cached_x509_store(data, conn); + X509_STORE *cached_store; + bool cache_criteria_met; /* Consider the X509 store cacheable if it comes exclusively from a CAfile, or no source is provided and we are falling back to openssl's built-in default. */ - bool cache_criteria_met = SSL_CONN_CONFIG(verifypeer) && - !SSL_CONN_CONFIG(CApath) && - !SSL_CONN_CONFIG(ca_info_blob) && - !SSL_SET_OPTION(primary.CRLfile) && - !SSL_SET_OPTION(native_ca_store); - + cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) && + SSL_CONN_CONFIG(verifypeer) && + !SSL_CONN_CONFIG(CApath) && + !SSL_CONN_CONFIG(ca_info_blob) && + !SSL_SET_OPTION(primary.CRLfile) && + !SSL_SET_OPTION(native_ca_store); + + cached_store = get_cached_x509_store(data, conn); if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) { SSL_CTX_set_cert_store(backend->ctx, cached_store); } |