httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Sun, 12 Dec 2010 09:28:58 GMT
On 11.12.2010 20:27, Jim Jagielski wrote:
> I've heard no objections, so on monday (12/13) I'll start
> the T&R.

Is there any chance that the attached patch might make it into
2.3.10? It includes two OCSP related changes for mod_ssl:

- addresses https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
  by adding two config directives (SSLOCSPResponseTimeSkew and
  SSLOCSPResponseMaxAge) and defining new default values

- prevents mod_ssl from doing unnecessary OCSP checks
  (valid self-issued certs, i.e. trust anchors configured through
  SSLCACertificate{File,Path})

Note that mod_ssl's current hardcoded OCSP defaults for the time skew
(60 seconds) and the max age (360 seconds) are quite aggressive -
especially the latter one. As PR 49784 illustrates, real-world OCSP
responses often have a validity of one or more days, and are not updated
at 5-minute intervals. I therefore suggest to default to -1 for the max
age, and to 300 seconds for the time skew - this also matches the
defaults which are currently applied in mod_ssl's OCSP stapling code.

Kaspar

Mime
View raw message