MEDIUM: ssl: add ocsp-update.mindelay and ocsp-update.maxdelay

This patch deprecates tune.ssl.ocsp-update.* in favor of
"ocsp-update.*".

Since the ocsp-update is not really a tunable of the SSL connections.

doc/configuration.txt

@@ -1290,6 +1290,8 @@ The following keywords are supported in the "global" section :
    - nbthread
    - node
    - numa-cpu-mapping
+   - ocsp-update.maxdelay
+   - ocsp-update.mindelay
    - ocsp-update.httpproxy
    - ocsp-update.mode
    - pidfile
@@ -1438,8 +1440,8 @@ The following keywords are supported in the "global" section :
    - tune.ssl.lifetime
    - tune.ssl.maxrecord
    - tune.ssl.ssl-ctx-cache-size
-   - tune.ssl.ocsp-update.maxdelay
-   - tune.ssl.ocsp-update.mindelay
+   - tune.ssl.ocsp-update.maxdelay (deprecated)
+   - tune.ssl.ocsp-update.mindelay (deprecated)
    - tune.vars.global-max-size
    - tune.vars.proc-max-size
    - tune.vars.reqres-max-size
@@ -2171,12 +2173,27 @@ numa-cpu-mapping
   already specified, for example via the 'cpu-map' directive or the taskset
   utility.
 
-
 ocsp-update.httpproxy <address>[:port]
   Allow to use an HTTP proxy for the OCSP updates. This only works with HTTP,
   HTTPS is not supported. This option will allow the OCSP updater to send
   absolute URI in the request to the proxy.
 
+ocsp-update.maxdelay <number>
+tune.ssl.ocsp-update.maxdelay <number> (deprecated)
+  Sets the maximum interval between two automatic updates of the same OCSP
+  response. This time is expressed in seconds and defaults to 3600 (1 hour). It
+  must be set to a higher value than "ocsp-update.mindelay". See
+  option "ocsp-update" for more information about the auto update mechanism.
+
+ocsp-update.mindelay <number>
+tune.ssl.ocsp-update.mindelay <number> (deprecated)
+  Sets the minimum interval between two automatic updates of the same OCSP
+  response. This time is expressed in seconds and defaults to 300 (5 minutes).
+  It is particularly useful for OCSP response that do not have explicit
+  expiration times. It must be set to a lower value than
+  "ocsp-update.maxdelay". See option "ocsp-update" for more
+  information about the auto update mechanism.
+
 ocsp-update.mode [ on | off ]
   Sets the default ocsp-update mode for all certificates used in the
   configuration. This global option can be superseded by the crt-list
@@ -4020,20 +4037,6 @@ tune.ssl.ssl-ctx-cache-size <number>
   dynamically is expensive, they are cached. The default cache size is set to
   1000 entries.
 
-tune.ssl.ocsp-update.maxdelay <number>
-  Sets the maximum interval between two automatic updates of the same OCSP
-  response. This time is expressed in seconds and defaults to 3600 (1 hour). It
-  must be set to a higher value than "tune.ssl.ocsp-update.mindelay". See
-  option "ocsp-update" for more information about the auto update mechanism.
-
-tune.ssl.ocsp-update.mindelay <number>
-  Sets the minimum interval between two automatic updates of the same OCSP
-  response. This time is expressed in seconds and defaults to 300 (5 minutes).
-  It is particularly useful for OCSP response that do not have explicit
-  expiration times. It must be set to a lower value than
-  "tune.ssl.ocsp-update.maxdelay". See option "ocsp-update" for more
-  information about the auto update mechanism.
-
 tune.stick-counters <number>
   Sets the number of stick-counters that may be tracked at the same time by a
   connection or a request via "track-sc*" actions in "tcp-request" or

src/ssl_ocsp.c

@@ -2023,7 +2023,9 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
 static struct cfg_kw_list cfg_kws = {ILH, {
 #ifndef OPENSSL_NO_OCSP
 	{ CFG_GLOBAL, "tune.ssl.ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay },
+	{ CFG_GLOBAL, "ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay },
 	{ CFG_GLOBAL, "tune.ssl.ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay },
+	{ CFG_GLOBAL, "ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay },
 	{ CFG_GLOBAL, "ocsp-update.mode", ssl_parse_global_ocsp_update_mode },
 	{ CFG_GLOBAL, "ocsp-update.httpproxy", ocsp_update_parse_global_http_proxy },
 #endif