Extracting 'nextUpdate' from OCSP stapling responses about lua-resty-core HOT 5 CLOSED

I've updated the title to better reflect our question.
We are working with certificates from letsencrypt and their ocsp responses expire at fixed points in time, irrespective of when the ocsp request was sent. In order to refresh the response, it is vital to know when it expires. Is there any way to do that currently?

from lua-resty-core.

pinging @agentzh
Currently, we are just polling the ocsp endpoint. Because of this, there are intervals where we are stapling an outdated response. It'd be great to do this more efficiently.

from lua-resty-core.

I'm deducing from the lack of responses that there is currently no way of doing this.
I had a look at the openssl and nginx source code and found a) a function that can extract nextUpdate (openssl) and b) a function to convert that value to time_t (nginx).

@agentzh I'd love some feedback on whether a PR on adding a new method to ocsp would be welcome. There are two different method that could solve our issue:

1. get_nextupdate: Would return the nextupdate timestamp as seconds since the unix epoch. Calculating its validity would then happen in lua-land. This may have timezone/clock delay issues.
2. get_nextupdate_validity: Would return the difference between nextupdate and C-land t_now. This way, lua-land can immediately set a time based on this, or, for negative values, request a new ocsp response.

from lua-resty-core.

FWIW we are adding OCSP stapling feature to https://github.com/kubernetes/ingress-nginx and having thisUpdate and nextUpdate attributes exposed on the Lua land would be really useful for deciding cache validity.

from lua-resty-core.

I took an alternative stab at this: #296

from lua-resty-core.