tls: Handle when OCSP responder cert expires before a response it issued (#1922)

* Handle the case of an OCSP responder certificate expiring before an OCSP response it issued * oops * doh, gofmt

tls: Handle when OCSP responder cert expires before a response it issued (#1922)
* Handle the case of an OCSP responder certificate expiring before an OCSP response it issued * oops * doh, gofmt
c6a29117 · Alex Gaynor · Matt Holt · 654f26cb · c6a29117
Commit c6a29117 authored Oct 16, 2017 by Alex Gaynor Committed by Matt Holt Oct 16, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

caddytls/maintain.go caddytls/maintain.go +8 -1

No files found.
--- a/caddytls/maintain.go
+++ b/caddytls/maintain.go
@@ -334,8 +334,15 @@ func DeleteOldStapleFiles() {
 // meaning that it is not expedient to get an
 // updated response from the OCSP server.
 func freshOCSP(resp *ocsp.Response) bool {
+	nextUpdate := resp.NextUpdate
+	// If there is an OCSP responder certificate, and it expires before the
+	// OCSP response, use its expiration date as the end of the OCSP
+	// response's validity period.
+	if resp.Certificate != nil && resp.Certificate.NotAfter.Before(nextUpdate) {
+		nextUpdate = resp.Certificate.NotAfter
+	}
 	// start checking OCSP staple about halfway through validity period for good measure
-	refreshTime := resp.ThisUpdate.Add(resp.NextUpdate.Sub(resp.ThisUpdate) / 2)
+	refreshTime := resp.ThisUpdate.Add(nextUpdate.Sub(resp.ThisUpdate) / 2)
 	return time.Now().Before(refreshTime)
 }