httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Mon, 13 Dec 2010 06:09:29 GMT
On 12.12.2010 13:05, Dr Stephen Henson wrote:
> It also makes sense to add a directive to make the OCSP timeout configurable.
> This can be done in the OCSP stapling code but not the OCSP code itself. The
> current default is (I think) the same as the http request timeout which is way
> too long in practice: if an OCSP responder doesn't respond in a few seconds it
> isn't likely to respond at all.

Agreed, attached is v2 of the patch. It adds an SSLOCSPResponderTimeout
directive, which defaults to 10 seconds. I also added the cfgMergeInt
statements in ssl_engine_config.c, which I forgot in v1 by mistake.

There are actually additional improvements I would like to see with the
OCSP (clientauth) checking - in particular, having a cache (possibly
reusing code from the stapling code)... but I was hoping that we could
get the proposed fixes in for 2.3.10, at least. Reviews and/or commits
are much appreciated - thanks!


View raw message