httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57121] ocsp stapling should not pass temporary server outages to clients
Date Mon, 28 Aug 2017 14:32:57 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57121

Fabian Wenk <fabian@wenks.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fabian@wenks.ch

--- Comment #3 from Fabian Wenk <fabian@wenks.ch> ---
Instead of adding new SSLStaplingRefreshTime, why not just use a fraction (e.g.
half) of SSLStaplingStandardCacheTimeout to refresh?
But still, if it fails at refresh time, then it has to work when cache timeout
is reached.

Maybe something like this could work better / be more safe:
Try to refresh at half of SSLStaplingStandardCacheTimeout, if it fails try to
refresh more often, e.g. every 1/10 of SSLStaplingStandardCacheTimeout until it
succeeds and then SSLStaplingStandardCacheTimeout starts again at max. Or
simply just try to refresh at every 1/10 of SSLStaplingStandardCacheTimeout.

To make less requests to the CA, set default of SSLStaplingStandardCacheTimeout
to 86400 (1 day), so the refresh will happen every 2.4 hours.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message