Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A45A818A8F for ; Sun, 4 Oct 2015 10:47:00 +0000 (UTC) Received: (qmail 23798 invoked by uid 500); 4 Oct 2015 10:47:00 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 23717 invoked by uid 500); 4 Oct 2015 10:47:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 23703 invoked by uid 99); 4 Oct 2015 10:47:00 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Oct 2015 10:47:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id AC4C5180990 for ; Sun, 4 Oct 2015 10:46:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.357 X-Spam-Level: * X-Spam-Status: No, score=1.357 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RDNS_DYNAMIC=0.363, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id mBY-3qfc-b9q for ; Sun, 4 Oct 2015 10:46:52 +0000 (UTC) Received: from nebula.c8h10n4o2.org.uk (nebula.c8h10n4o2.org.uk [80.68.88.207]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id AA8B220381 for ; Sun, 4 Oct 2015 10:46:51 +0000 (UTC) Received: from consume.c8h10n4o2.org.uk ([81.2.91.98]) by nebula.c8h10n4o2.org.uk with esmtpsa (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1ZigoV-0004pW-KM for dev@httpd.apache.org; Sun, 04 Oct 2015 11:46:44 +0100 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: SSLUseStapling: ssl handshake fails until httpd restart From: Tim Bannister In-Reply-To: <5611019E.9020106@velox.ch> Date: Sun, 4 Oct 2015 11:46:43 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <560A49E5.2090500@thelounge.net> <560AAEEC.2080500@gmail.com> <560ABB39.2030805@thelounge.net> <560B8452.5070800@velox.ch> <560D1B12.4060502@thelounge.net> <560D3041.2060300@thelounge.net> <560D32A3.6080800@thelounge.net> <560D43E9.4020809@thelounge.net> <560F9D02.8070905@velox.ch> <560FA8F8.2010003@thelounge.net> <5611019E.9020106@velox.ch> To: dev@httpd.apache.org X-Mailer: Apple Mail (2.2104) On 4 Oct 2015, at 11:38, Kaspar Brand wrote: >=20 > As far as the mod_ssl side is related, it seems to me that for the = "SSLStaplingReturnResponderErrors off" case, we should make sure that we = only staple responses with status "good" (i.e. = OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD for the = cert). If the OCSP response is successful but the status isn't = V_OCSP_CERTSTATUS_GOOD, I'd want httpd to at least log a warning (as = well as not stapling the OCSP information). Maybe even add a Warning: = header for any client that's interested. I can attempt a patch for this if other people think it'd be useful. --=20 Tim Bannister =E2=80=93 isoma@c8h10n4o2.org.uk