From 3e3c7c3646878fbbef07865aca007e112cf0fc26 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 5 Mar 2018 15:18:04 -0500 Subject: Implement multi-process OCSP responder. With "-multi" the OCSP responder forks multiple child processes, and respawns them as needed. This can be used as a long-running service, not just a demo program. Therefore the index file is automatically re-read when changed. The responder also now optionally times out client requests. Reviewed-by: Matt Caswell --- doc/man1/ocsp.pod | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod index e32a68c53b..c9feef8f0e 100644 --- a/doc/man1/ocsp.pod +++ b/doc/man1/ocsp.pod @@ -28,6 +28,7 @@ B B [B<-no_nonce>] [B<-url URL>] [B<-host host:port>] +[B<-multi process-count>] [B<-header>] [B<-path>] [B<-CApath dir>] @@ -187,7 +188,22 @@ This may be repeated. =item B<-timeout seconds> -Connection timeout to the OCSP responder in seconds +Connection timeout to the OCSP responder in seconds. +On POSIX systems, when running as an OCSP responder, this option also limits +the time that the responder is willing to wait for the client request. +This time is measured from the time the responder accepts the connection until +the complete request is received. + +=item B<-multi process-count> + +Run the specified number of OCSP responder child processes, with the parent +process respawning child processes as needed. +Child processes will detect changes in the CA index file and automatically +reload it. +When running as a responder B<-timeout> option is recommended to limit the time +each child is willing to wait for the client's OCSP response. +This option is available on POSIX systems (that support the fork() and other +required unix system-calls). =item B<-CAfile file>, B<-CApath pathname> -- cgit v1.2.3