httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Date Mon, 28 Nov 2011 14:15:09 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740

--- Comment #18 from Kai Engert <kaie@kuix.de> 2011-11-28 14:15:09 UTC ---
> If you set:
> 
> http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingreturnrespondererrors
> 
> to "off", it should not send staple the "try later" responses, if I am
> understanding things correctly.


Thanks.

This doesn't seem to work as intended. I set it of "off", both at the global
level (near the "Listen" statement), and also inside the VirtualHost section.
Still, I sometimes get the "tryLater" answer (as reported by openssl s_client).


Beside, I wonder if the default value of SSLStaplingReturnResponderErrors
should rather be "off"?

Clients might refuse to consider stapled errors anyway, because there is the
risk that a MITM staples an error response together with a hacker server cert,
trying to stop the client from getting a newer status.

I think stapling makes most sense for "good and fresh" OCSP information, and
clients should attempt to fetch fresh information on their own, whenever it's
not yet available.


> We don't have any caching across restarts; I'm not sure whether the utility of
> that is worth the extra complexity; fetching a new OCSP response should be
> cheap anyway.  Perhaps we could have a way to populate the cache at startup, or
> else, fail.


I understand that caching is simple for servers that run only a single SSL
server - but I also understand that the configuration options of Apache are
flexible, and allow any number of SSL ports - which creates complexity.

The current behaviour should be OK for the initial release of OCSP stapling by
default.

However, it would be very helpful to find a way to save the OCSP information
across restarts.

One great benefit of OCSP stapling is that it can relax the dependency on the
uptime of OCSP responder servers.

Clients might eventually decide that "fresh and good" OCSP information is
mandatory, even as a default setting in browsers.

Being able to cache the recent OCSP information on the server side would be
highly desired, in order to avoid server unavailability caused by OCSP servers
being temporarily unresponsive.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message