httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SSLUseStapling: ssl handshake fails until httpd restart
Date Tue, 29 Sep 2015 16:24:25 GMT


Am 29.09.2015 um 17:31 schrieb Jeff Trawick:
> On 09/29/2015 04:20 AM, Reindl Harald wrote:
>> is that by intention?
>
> The default timeout before retrying an error seems to be 10 minutes (see
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingerrorcachetimeout),
> which is pretty excessive.
>
> As far as you recall about the time period before you gave up, was that
> within 10 minutes?

i just restarted the servers and disabled stapling since all our 
servcies where unreachable (before i write the second mail 5 different 
hosts with several sites where affected)

in fact the error caching does more harm than benefits - IHMO a better 
"could not reach OCSP server or received a error from it" caching would 
be just temporary disable stapling for 10 minutes instead lead in 
connections fail even from clients which have disabled OCSP completly

>> firefox refused to open our adminpanel with the error below until i
>> restarted httpd - i suggest the server should retry SSLUseStapling
>> when a new client connects and it has failed for whatever reason
>>
>> SSLUseStapling On
>>
>> An error occurred during a connection to *******:8443. The OCSP server
>> suggests trying again later. (Error code:
>> sec_error_ocsp_try_server_later)


Mime
View raw message