httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Stradling <rob.stradl...@comodo.com>
Subject Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk
Date Fri, 03 Jul 2015 14:37:44 GMT
On 03/07/15 11:13, Plüm, Rüdiger, Vodafone Group wrote:
<snip>
> Thanks for the detailed explanation. So yes OCSP stapling is really beneficial
> if it is possible for the server admin to set it up. But it likely requires additional
> configuration steps outside of httpd to make the OCSP responder reachable (like firewall
clearances)
> and leads to otherwise strange "slow" responses if this is not prepared.
> Another obstacle with the current stapling code is that the connection to the OCSP responder
of the
> CA needs to happen directly and cannot be done via a proxy.
> Hence I agree with Kaspar that it should be off by default.

Given the current stapling code, that's fair enough.

Is it feasible to engineer around these issues so that stapling could be 
enabled by default in some future httpd release?  If not, what's the 
showstopper?

Thanks.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online


Mime
View raw message