Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 207D318283 for ; Sun, 30 Aug 2015 06:37:09 +0000 (UTC) Received: (qmail 50922 invoked by uid 500); 30 Aug 2015 06:37:08 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 50849 invoked by uid 500); 30 Aug 2015 06:37:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 50839 invoked by uid 99); 30 Aug 2015 06:37:08 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Aug 2015 06:37:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 12987183C20 for ; Sun, 30 Aug 2015 06:37:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.106 X-Spam-Level: X-Spam-Status: No, score=-0.106 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.006] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=velox.ch header.b=rBrc+cyy; dkim=pass (2048-bit key) header.d=velox.ch header.b=npdMqmU3 Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 29A9hRF0XN9b for ; Sun, 30 Aug 2015 06:37:07 +0000 (UTC) Received: from fornix.velox.ch (fornix.velox.ch [85.25.46.13]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id A591742B13 for ; Sun, 30 Aug 2015 06:37:06 +0000 (UTC) Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch [77.57.164.164]) (authenticated bits=0) by fornix.velox.ch (8.14.9/8.14.9/2.2) with ESMTP id t7U6awMn013067 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sun, 30 Aug 2015 08:36:59 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=fornix-727e; t=1440916619; bh=HeneplI7975WtUIsM7J17jLkebUiQ9L3OFoPoFFc/Rs=; h=From:Subject:To:References:Date:In-Reply-To; b=rBrc+cyy78KUrMwYjArTmUp+x709NbU9P68dsD3HU5pfgseoXx1AcHdwCZjgf7E9S zDPiz7oZpSKH3casMhMDFTjqgMEmP8y8/NOmeGayOAjDMxfu5qpywgl0/5Hr3aFTEe foQeD4JtU8m/JSjdQrBbNljubsc6Erg3ZHXf2F55bTQlT0Mn0rwauVmy+2096G9QwS 5KXCLTYlXi1OybTGSRvHbm2Cb1sTlLMPeWE32tNi96I7JTbThVUrWTNMjH0wORZ/ro iA8jnU1EQGZqVOa2iKx90xLGSrGb1vd1CdM4uHVEikjLawNbrlVr6fObC+KCiQKLQG 8UnUhkn/kOfHw== From: Kaspar Brand DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1440916617; bh=HeneplI7975WtUIsM7J17jLkebUiQ9L3OFoPoFFc/Rs=; h=From:Subject:To:References:Date:In-Reply-To; b=npdMqmU3Mw7sXZ9b0hQROKsvkDulaveh1L9bmn5iXbgszFK3mXpRW1BkVc9JxNlAG wIOj+W9uGUv+XEwIFa2vhKivQ3EMjFK6x7PsfKv0cfb/ZT4q9N+ZBkV0AMkB+6Zsjp FHQi+aeBbQbmqvIu7v4VN1YtsU4eQOPHMXNp1WBg0FVr6bE0maaYTx5UtMRU2wpVJp 0P8zxDWYfzTzOk1CNQdGnW2Yx7xWYUTOVo3lO9zL1cpTNk/lajUCFl9CUzZqvOmACz cKrXoBpsRS+MNS5eM+JltQ2JyMI2xV3SCJsIk0mQZhBaeQU3CEqDfJFDezO2NcXtpT jwP/8rLSsapfQ== Subject: Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk To: dev@httpd.apache.org References: <5454A244.6070006@velox.ch> <55957CF1.2050302@apache.org> <55965D5A.3040706@comodo.com> <55E1D63F.2040808@gmx.de> Message-ID: <55E2A489.6000403@velox.ch> Date: Sun, 30 Aug 2015 08:36:57 +0200 MIME-Version: 1.0 In-Reply-To: <55E1D63F.2040808@gmx.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 29.08.2015 17:56, olli hauer wrote: > On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote: >> Thanks for the detailed explanation. So yes OCSP stapling is really >> beneficial if it is possible for the server admin to set it up. But >> it likely requires additional configuration steps outside of httpd >> to make the OCSP responder reachable (like firewall clearances) and >> leads to otherwise strange "slow" responses if this is not >> prepared. Another obstacle with the current stapling code is that >> the connection to the OCSP responder of the CA needs to happen >> directly and cannot be done via a proxy. Hence I agree with Kaspar >> that it should be off by default. >> > > Not tested, but looking at the mod_ssl doc it seems > SSLStaplingForceURL can be used to proxy requests to the OCSP > responder(s) > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl > > In case SSLStaplingForceURL can be used to force OCSP requests via > proxy it would be nice to add something like the following patch > before enabling OCSP stapling as default. It can't be used like this, as pointed out in [1]. Its main use is for certs which do not include an OCSP URI at all, so configuring SSLStaplingForceURL at the global level doesn't make much sense - you would have to run a "transparent OCSP proxy" at that URL (mod_ssl will just send plain OCSP requests to this address). Kaspar [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201411.mbox/%3C5454A1FE.6060204%40velox.ch%3E