httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Sun, 12 Dec 2010 12:05:12 GMT
On 12/12/2010 09:28, Kaspar Brand wrote:
> On 11.12.2010 20:27, Jim Jagielski wrote:
>> I've heard no objections, so on monday (12/13) I'll start
>> the T&R.
> 
> Is there any chance that the attached patch might make it into
> 2.3.10? It includes two OCSP related changes for mod_ssl:
> 
> - addresses https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
>   by adding two config directives (SSLOCSPResponseTimeSkew and
>   SSLOCSPResponseMaxAge) and defining new default values
> 
> - prevents mod_ssl from doing unnecessary OCSP checks
>   (valid self-issued certs, i.e. trust anchors configured through
>   SSLCACertificate{File,Path})
> 
> Note that mod_ssl's current hardcoded OCSP defaults for the time skew
> (60 seconds) and the max age (360 seconds) are quite aggressive -
> especially the latter one. As PR 49784 illustrates, real-world OCSP
> responses often have a validity of one or more days, and are not updated
> at 5-minute intervals. I therefore suggest to default to -1 for the max
> age, and to 300 seconds for the time skew - this also matches the
> defaults which are currently applied in mod_ssl's OCSP stapling code.
> 

It also makes sense to add a directive to make the OCSP timeout configurable.
This can be done in the OCSP stapling code but not the OCSP code itself. The
current default is (I think) the same as the http request timeout which is way
too long in practice: if an OCSP responder doesn't respond in a few seconds it
isn't likely to respond at all.

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message