httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Natanael Mignon ->
Subject AW: OCSP stapling in mod_ssl - use as OCSP cache for client authentication
Date Fri, 11 Sep 2009 11:31:04 GMT
> -----Ursprüngliche Nachricht-----
> Von: Dr Stephen Henson []
> Gesendet: Freitag, 11. September 2009 11:46
> An:
> Betreff: Re: OCSP stapling in mod_ssl - use as OCSP cache for client
> authentication
> Now to the actual query, if I understand it correctly. That patch works
> in
> reverse to your problem. It is designed to stop thousands of OCSP
> requests from
> SSL clients connecting to an Apache server and all simultaneously
> slamming an
> OCSP responder attempting to check the status of that server
> certificate.

[NM] Right, the patch basically works reverse to our way.

> What I think you are trying to do is to include a cache for OCSP
> queries the
> proxy itself makes which is IMHO the best solution. So instead of
> always
> consulting the OCSP responder it instead checks the cache to see if
> there is a
> valid OCSP response in there, if it is expired or invalid then and only
> then
> would it renew the response by making an actual query. Doing things
> that way
> doesn't need OCSP stapling support in the server(s).
> If that's correct then you could reuse some of the OCSP response query
> and
> caching code in the stapling patch. It implements similar
> functionality.

[NM] That's it, exactly. And I've come to the conclusion, too, that reusing some of your code
for our purpose would be the best solution. Hopefully, we get it right. ;)

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT-Dienstleistungen: beraten | planen | umsetzen | betreiben

fon          (+49) 511 260 911-0 (DW: - 13)
fax          (+49) 511 318 039-9

Bitte senden Sie wichtige E-Mails stets auch an, um sicherzustellen,
dass diese zeitnah bearbeitet werden.

View raw message