Delete OCSP Response cache when certificate renewed

build/test-lua.sh

@@ -30,6 +30,7 @@ resty \
   --shdict "configuration_data 5M" \
   --shdict "certificate_data 16M" \
   --shdict "certificate_servers 1M" \
+  --shdict "ocsp_response_cache 1M" \
   --shdict "balancer_ewma 1M" \
   --shdict "balancer_ewma_last_touched_at 1M" \
   --shdict "balancer_ewma_locks 512k" \

rootfs/etc/nginx/lua/certificate.lua

@@ -182,7 +182,7 @@ local function fetch_and_cache_ocsp_response(uid, der_cert)
   end
   if forcible then
     ngx.log(ngx.NOTICE, "removed an existing item when saving OCSP response, ",
-      "consider increasing shared dictionary size for 'ocsp_reponse_cache'")
+      "consider increasing shared dictionary size for 'ocsp_response_cache'")
   end
 end
 

rootfs/etc/nginx/lua/configuration.lua

@@ -11,6 +11,7 @@ local pairs = pairs
 local configuration_data = ngx.shared.configuration_data
 local certificate_data = ngx.shared.certificate_data
 local certificate_servers = ngx.shared.certificate_servers
+local ocsp_response_cache = ngx.shared.ocsp_response_cache
 
 local EMPTY_UID = "-1"
 
@@ -100,6 +101,11 @@ local function handle_servers()
   end
 
   for uid, cert in pairs(configuration.certificates) do
+    local old_cert = certificate_data:get(uid)
+    if old_cert ~= nil and old_cert ~= cert then
+        ocsp_response_cache:delete(uid)
+    end
+
     local success, set_err, forcible = certificate_data:set(uid, cert)
     if not success then
       local err_msg = string.format("error setting certificate for %s: %s\n",

rootfs/etc/nginx/lua/test/configuration_test.lua

@@ -4,6 +4,7 @@ local configuration = require("configuration")
 local unmocked_ngx = _G.ngx
 local certificate_data = ngx.shared.certificate_data
 local certificate_servers = ngx.shared.certificate_servers
+local ocsp_response_cache = ngx.shared.ocsp_response_cache
 
 function get_backends()
   return {
@@ -184,6 +185,56 @@ describe("Configuration", function()
       assert.same(ngx.status, ngx.HTTP_BAD_REQUEST)
     end)
 
+    it("should not delete ocsp_response_cache if certificate remain the same", function()
+      ngx.shared.certificate_data.get = function(self, uid)
+        return "pemCertKey"
+      end
+
+      mock_ssl_configuration({
+        servers = { ["hostname"] = UUID },
+        certificates = { [UUID] = "pemCertKey" }
+      })
+
+      local s = spy.on(ngx.shared.ocsp_response_cache, "delete")
+      assert.has_no.errors(configuration.handle_servers)
+      assert.spy(s).was_not_called()
+    end)
+
+    it("should not delete ocsp_response_cache if certificate is empty", function()
+      ngx.shared.certificate_data.get = function(self, uid)
+          return nil
+      end
+
+      mock_ssl_configuration({
+        servers = { ["hostname"] = UUID },
+        certificates = { [UUID] = "pemCertKey" }
+      })
+
+      local s = spy.on(ngx.shared.ocsp_response_cache, "delete")
+      assert.has_no.errors(configuration.handle_servers)
+      assert.spy(s).was_not_called()
+    end)
+
+    it("should delete ocsp_response_cache if certificate changed", function()
+      local stored_entries = {
+          [UUID] = "pemCertKey"
+      }
+
+      ngx.shared.certificate_data.get = function(self, uid)
+          return stored_entries[uid]
+      end
+
+      mock_ssl_configuration({
+        servers = { ["hostname"] = UUID },
+        certificates = { [UUID] = "pemCertKey2" }
+      })
+
+      local s = spy.on(ngx.shared.ocsp_response_cache, "delete")
+
+      assert.has_no.errors(configuration.handle_servers)
+      assert.spy(s).was.called_with(ocsp_response_cache, UUID)
+    end)
+
     it("deletes server with empty UID without touching the corresponding certificate", function()
       mock_ssl_configuration({
         servers = { ["hostname"] = UUID },