httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: mod_ssl ssl_util_stapling.c warnings
Date Wed, 22 Dec 2010 16:11:21 GMT
On 22/12/2010 15:32, Rob Stradling wrote:
> On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
> <snip>
>> Would it be possible to make OCSP Stapling enabled by default (when the
>> server certificate contains an OCSP Responder URL in the AIA extension)
>> instead of disabled by default?
>> (Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling")
> 
> Steve et al,
> 
> Could you possibly spare a moment to answer this question?
> 

I was seeing if anyone else would comment on this first. It is of course
technically possible.

The OCSP stapling code requires an additional directive to enable an OCSP
stapling cache: so this would break existing configuration files if enabled by
default.

More significantly the code hasn't been tested extensively "in the field" so
there may be problems that have yet to be uncovered.

My personal opinion would be to, at least initially, require an explicit
directive to enable it and leave the option in future to have it enabled by default.

Anyone else have any thoughts on the matter?

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message