httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Mon, 13 Dec 2010 14:24:03 GMT
At this late in the game, I would prefer to do this post-2.3.10...
safer that way.

On Dec 13, 2010, at 1:09 AM, Kaspar Brand wrote:

> On 12.12.2010 13:05, Dr Stephen Henson wrote:
>> It also makes sense to add a directive to make the OCSP timeout configurable.
>> This can be done in the OCSP stapling code but not the OCSP code itself. The
>> current default is (I think) the same as the http request timeout which is way
>> too long in practice: if an OCSP responder doesn't respond in a few seconds it
>> isn't likely to respond at all.
> Agreed, attached is v2 of the patch. It adds an SSLOCSPResponderTimeout
> directive, which defaults to 10 seconds. I also added the cfgMergeInt
> statements in ssl_engine_config.c, which I forgot in v1 by mistake.
> There are actually additional improvements I would like to see with the
> OCSP (clientauth) checking - in particular, having a cache (possibly
> reusing code from the stapling code)... but I was hoping that we could
> get the proposed fixes in for 2.3.10, at least. Reviews and/or commits
> are much appreciated - thanks!
> Kaspar
> <mod_ssl-ocsp-v2.patch>

View raw message