httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Date Wed, 16 Nov 2011 16:06:54 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740

--- Comment #17 from Joe Orton <jorton@redhat.com> 2011-11-16 16:06:54 UTC ---
Thanks a lot Kai!

Yes, if you use shmcb: for the shared cache it is expected that file will not
exist in the filesystem; the filename is used merely as a unique key for the
shared memory segment.

The OCSP response will be renewed whenever it expires from the cache, which
should follow the setting of:

http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslsessioncachetimeout
http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingerrorcachetimeout

If you set:

http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingreturnrespondererrors

to "off", it should not send staple the "try later" responses, if I am
understanding things correctly.

We don't have any caching across restarts; I'm not sure whether the utility of
that is worth the extra complexity; fetching a new OCSP response should be
cheap anyway.  Perhaps we could have a way to populate the cache at startup, or
else, fail.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message