httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk
Date Sun, 30 Aug 2015 06:36:57 GMT
On 29.08.2015 17:56, olli hauer wrote:
> On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote:
>> Thanks for the detailed explanation. So yes OCSP stapling is really
>> beneficial if it is possible for the server admin to set it up. But
>> it likely requires additional configuration steps outside of httpd
>> to make the OCSP responder reachable (like firewall clearances) and
>> leads to otherwise strange "slow" responses if this is not
>> prepared. Another obstacle with the current stapling code is that
>> the connection to the OCSP responder of the CA needs to happen
>> directly and cannot be done via a proxy. Hence I agree with Kaspar
>> that it should be off by default.
>> 
> 
> Not tested, but looking at the mod_ssl doc it seems
> SSLStaplingForceURL can be used to proxy requests to the OCSP
> responder(s)
> 
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
>
> In case SSLStaplingForceURL can be used to force OCSP requests via
> proxy it would be nice to add something like the following patch
> before enabling OCSP stapling as default.

It can't be used like this, as pointed out in [1]. Its main use is for
certs which do not include an OCSP URI at all, so configuring
SSLStaplingForceURL at the global level doesn't make much sense - you
would have to run a "transparent OCSP proxy" at that URL (mod_ssl will
just send plain OCSP requests to this address).

Kaspar

[1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201411.mbox/%3C5454A1FE.6060204%40velox.ch%3E

Mime
View raw message