httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@c8h10n4o2.org.uk>
Subject Re: SSLUseStapling: ssl handshake fails until httpd restart
Date Sun, 04 Oct 2015 10:46:43 GMT
On 4 Oct 2015, at 11:38, Kaspar Brand wrote:
> 
> As far as the mod_ssl side is related, it seems to me that for the "SSLStaplingReturnResponderErrors
off" case, we should make sure that we only staple responses with status "good" (i.e. OCSP_RESPONSE_STATUS_SUCCESSFUL
and V_OCSP_CERTSTATUS_GOOD for the cert).

If the OCSP response is successful but the status isn't V_OCSP_CERTSTATUS_GOOD, I'd want httpd
to at least log a warning (as well as not stapling the OCSP information). Maybe even add a
Warning: header for any client that's interested.

I can attempt a patch for this if other people think it'd be useful.


-- 
Tim Bannister – isoma@c8h10n4o2.org.uk


Mime
View raw message