httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk
Date Sun, 30 Aug 2015 06:36:57 GMT
On 29.08.2015 17:56, olli hauer wrote:
> On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote:
>> Thanks for the detailed explanation. So yes OCSP stapling is really
>> beneficial if it is possible for the server admin to set it up. But
>> it likely requires additional configuration steps outside of httpd
>> to make the OCSP responder reachable (like firewall clearances) and
>> leads to otherwise strange "slow" responses if this is not
>> prepared. Another obstacle with the current stapling code is that
>> the connection to the OCSP responder of the CA needs to happen
>> directly and cannot be done via a proxy. Hence I agree with Kaspar
>> that it should be off by default.
> Not tested, but looking at the mod_ssl doc it seems
> SSLStaplingForceURL can be used to proxy requests to the OCSP
> responder(s)
> In case SSLStaplingForceURL can be used to force OCSP requests via
> proxy it would be nice to add something like the following patch
> before enabling OCSP stapling as default.

It can't be used like this, as pointed out in [1]. Its main use is for
certs which do not include an OCSP URI at all, so configuring
SSLStaplingForceURL at the global level doesn't make much sense - you
would have to run a "transparent OCSP proxy" at that URL (mod_ssl will
just send plain OCSP requests to this address).



View raw message