httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50740] New: Enable OCSP Stapling by default
Date Wed, 09 Feb 2011 09:13:11 GMT

           Summary: Enable OCSP Stapling by default
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl

Currently, OCSP Stapling is disabled by default.  To enable it, the
"SSLUseStapling On" directive must be added to the config, along with another
directive that enables an OCSP Stapling Cache.

OCSP Stapling benefits pretty much everyone:
  - End-users: Improved privacy and faster SSL/TLS handshakes, because the
client software does not need to contact a third-party OCSP Responder to get
the current status of the end-entity certificate.
  - CAs: Decreased load, bandwidth requirements and cost for operating an OCSP
Responder infrastructure.
  - Websites: No direct benefits, but they often care about their end-users'

My concern is that many webmasters will not add the necessary config directives
to enable OCSP Stapling, even though there is no downside to enabling it.  I
imagine that many webmasters have probably never even heard of OCSP Stapling!

Therefore, I propose that mod_ssl should enable OCSP Stapling by default,
without any config directives needing to be specified.  (Aside: this would
match the behaviour of IIS 7.x on Windows Vista/2008 Server and newer).

The OCSP Stapling Cache would need to be created automatically with some
sensible default values.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message