Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 41166 invoked from network); 9 Feb 2011 09:13:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Feb 2011 09:13:40 -0000 Received: (qmail 4656 invoked by uid 500); 9 Feb 2011 09:13:40 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 4349 invoked by uid 500); 9 Feb 2011 09:13:36 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 4340 invoked by uid 99); 9 Feb 2011 09:13:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 09:13:35 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 09:13:33 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id p199DBn1021472 for ; Wed, 9 Feb 2011 09:13:11 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id p199DBJL021471; Wed, 9 Feb 2011 04:13:11 -0500 (EST) Date: Wed, 9 Feb 2011 04:13:11 -0500 (EST) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 50740] New: Enable OCSP Stapling by default X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: rob@comodo.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=50740 Summary: Enable OCSP Stapling by default Product: Apache httpd-2 Version: 2.3-HEAD Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: rob@comodo.com Currently, OCSP Stapling is disabled by default. To enable it, the "SSLUseStapling On" directive must be added to the config, along with another directive that enables an OCSP Stapling Cache. OCSP Stapling benefits pretty much everyone: - End-users: Improved privacy and faster SSL/TLS handshakes, because the client software does not need to contact a third-party OCSP Responder to get the current status of the end-entity certificate. - CAs: Decreased load, bandwidth requirements and cost for operating an OCSP Responder infrastructure. - Websites: No direct benefits, but they often care about their end-users' interests. My concern is that many webmasters will not add the necessary config directives to enable OCSP Stapling, even though there is no downside to enabling it. I imagine that many webmasters have probably never even heard of OCSP Stapling! Therefore, I propose that mod_ssl should enable OCSP Stapling by default, without any config directives needing to be specified. (Aside: this would match the behaviour of IIS 7.x on Windows Vista/2008 Server and newer). The OCSP Stapling Cache would need to be created automatically with some sensible default values. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org