httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject AW: SSLUseStapling: ssl handshake fails until httpd restart
Date Thu, 01 Oct 2015 14:29:17 GMT


> -----Ursprüngliche Nachricht-----
> Von: Reindl Harald [mailto:h.reindl@thelounge.net]
> Gesendet: Donnerstag, 1. Oktober 2015 15:18
> An: dev@httpd.apache.org
> Betreff: Re: SSLUseStapling: ssl handshake fails until httpd restart
> 
> 
> 
> Am 01.10.2015 um 15:08 schrieb Reindl Harald:
> > Am 01.10.2015 um 14:53 schrieb Plüm, Rüdiger, Vodafone Group:
> >>> not really, i had the error message just now again in FF, the
> difference
> >>> was that now a "try again" loaded the page but with
> >>> "SSLStaplingReturnResponderErrors" i would expect it invisible to
> >>> clients in general - GoDaddy seems to have massive problems with
> their
> >>> responders the last days and the defaults with stapling enabled make
> >>> them to a perfect DOS target
> >>>
> >>> [Thu Oct 01 13:33:01.179365 2015] [ssl:error] [pid 19312] [client
> >>> 10.0.0.99:37860] AH01980: bad response from OCSP server: (none)
> >>> [Thu Oct 01 13:33:01.179393 2015] [ssl:error] [pid 19312] AH01941:
> >>> stapling_renew_response: responder error
> >>>
> >>> SSLStaplingCache shmcb:/var/cache/mod_ssl/ocsp_cache(1048576)
> >>> SSLStaplingStandardCacheTimeout 86400
> >>> SSLStaplingErrorCacheTimeout 300
> >>> SSLStaplingReturnResponderErrors Off
> >>
> >> What happens if you set
> >>
> >> SSLStaplingFakeTryLater off
> >>
> >> in addition?
> >
> > i added that now and will have a look over the serverlogs, it's not
> > happening all the time but very often and so if the logs are clear
> > within 24 hours the problem is likely solved
> 
> looks not that good - "Connection reset by peer" indicates a failed
> client request, the other lines could be just internal
> 
> [Thu Oct 01 15:15:01.495986 2015] [ssl:error] [pid 17468]
> (104)Connection reset by peer: [client 81.223.20.5:55156] AH01977:
> failed reading line from OCSP server
> [Thu Oct 01 15:15:01.496037 2015] [ssl:error] [pid 17468] [client
> 81.223.20.5:55156] AH01980: bad response from OCSP server: (none)
> [Thu Oct 01 15:15:01.496057 2015] [ssl:error] [pid 17468] AH01941:
> stapling_renew_response: responder error


The question is: What happens on Firefox side. Of course it still tries to get to the OCSP
server, but it should not cause an error on Firefox side if this does not work.

Regards

Rüdiger

Mime
View raw message