SSL: cache revalidation of file based dynamic certificates.

Revalidation is based on file modification time and uniq file index, and happens after the cache object validity time is expired.
author: Sergey Kandaurov <pluknet@nginx.com> 2025-01-13 21:40:04 +0400
committer: pluknet <pluknet@nginx.com> 2025-01-17 04:37:46 +0400
commit: 4b96ad14f3607ab39b160715aeba721097ac4da4 (patch)
tree: 97ed697efcb569164ff2bd8e0e9ecc025de62944
parent: 0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 (diff)
download: nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.tar.gz
nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.zip
1 files changed, 42 insertions, 2 deletions
diff --git a/src/event/ngx_event_openssl_cache.c b/src/event/ngx_event_openssl_cache.c
index 7589e6c90..eb03e16b2 100644
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
     void                  *value;
     time_t                 now;
     uint32_t               hash;
+    ngx_file_info_t        fi;
     ngx_ssl_cache_key_t    id;
     ngx_ssl_cache_type_t  *type;
     ngx_ssl_cache_node_t  *cn;
@@ -318,7 +319,33 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
             goto found;
         }
 
-        if (now - cn->created > cache->valid) {
+        if (now - cn->created <= cache->valid) {
+            goto found;
+        }
+
+        switch (id.type) {
+
+        case NGX_SSL_CACHE_PATH:
+
+            if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
+
+                if (ngx_file_uniq(&fi) == cn->uniq
+                    && ngx_file_mtime(&fi) == cn->mtime)
+                {
+                    break;
+                }
+
+                cn->mtime = ngx_file_mtime(&fi);
+                cn->uniq = ngx_file_uniq(&fi);
+
+            } else {
+                cn->mtime = 0;
+                cn->uniq = 0;
+            }
+
+            /* fall through */
+
+        default:
             ngx_log_debug1(NGX_LOG_DEBUG_CORE, pool->log, 0,
                            "update cached ssl object: %s", cn->id.data);
 
@@ -337,9 +364,10 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
             }
 
             cn->value = value;
-            cn->created = now;
         }
 
+        cn->created = now;
+
         goto found;
     }
 
@@ -365,6 +393,18 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
 
     ngx_cpystrn(cn->id.data, id.data, id.len + 1);
 
+    if (id.type == NGX_SSL_CACHE_PATH) {
+
+        if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
+            cn->mtime = ngx_file_mtime(&fi);
+            cn->uniq = ngx_file_uniq(&fi);
+
+        } else {
+            cn->mtime = 0;
+            cn->uniq = 0;
+        }
+    }
+
     ngx_ssl_cache_expire(cache, 1, pool->log);
 
     if (cache->current >= cache->max) {
author	Sergey Kandaurov <pluknet@nginx.com>	2025-01-13 21:40:04 +0400
committer	pluknet <pluknet@nginx.com>	2025-01-17 04:37:46 +0400
commit	4b96ad14f3607ab39b160715aeba721097ac4da4 (patch)
tree	97ed697efcb569164ff2bd8e0e9ecc025de62944
parent	0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 (diff)
download	nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.tar.gz nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.zip