httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SSLUseStapling: ssl handshake fails until httpd restart
Date Thu, 01 Oct 2015 13:18:27 GMT


Am 01.10.2015 um 15:08 schrieb Reindl Harald:
> Am 01.10.2015 um 14:53 schrieb Plüm, Rüdiger, Vodafone Group:
>>> not really, i had the error message just now again in FF, the difference
>>> was that now a "try again" loaded the page but with
>>> "SSLStaplingReturnResponderErrors" i would expect it invisible to
>>> clients in general - GoDaddy seems to have massive problems with their
>>> responders the last days and the defaults with stapling enabled make
>>> them to a perfect DOS target
>>>
>>> [Thu Oct 01 13:33:01.179365 2015] [ssl:error] [pid 19312] [client
>>> 10.0.0.99:37860] AH01980: bad response from OCSP server: (none)
>>> [Thu Oct 01 13:33:01.179393 2015] [ssl:error] [pid 19312] AH01941:
>>> stapling_renew_response: responder error
>>>
>>> SSLStaplingCache shmcb:/var/cache/mod_ssl/ocsp_cache(1048576)
>>> SSLStaplingStandardCacheTimeout 86400
>>> SSLStaplingErrorCacheTimeout 300
>>> SSLStaplingReturnResponderErrors Off
>>
>> What happens if you set
>>
>> SSLStaplingFakeTryLater off
>>
>> in addition?
>
> i added that now and will have a look over the serverlogs, it's not
> happening all the time but very often and so if the logs are clear
> within 24 hours the problem is likely solved

looks not that good - "Connection reset by peer" indicates a failed 
client request, the other lines could be just internal

[Thu Oct 01 15:15:01.495986 2015] [ssl:error] [pid 17468] 
(104)Connection reset by peer: [client 81.223.20.5:55156] AH01977: 
failed reading line from OCSP server
[Thu Oct 01 15:15:01.496037 2015] [ssl:error] [pid 17468] [client 
81.223.20.5:55156] AH01980: bad response from OCSP server: (none)
[Thu Oct 01 15:15:01.496057 2015] [ssl:error] [pid 17468] AH01941: 
stapling_renew_response: responder error


Mime
View raw message