httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <>
Subject ocsp stapling improvements
Date Mon, 12 Jun 2017 15:25:39 GMT
I talked to the people orignally writing our ssl OCSP code regarding
feedback we got from the Let's Encrypt server outage [1]. We agreed
that some valid points for improvement were raised and we need a 
discussion about what should be done about it, here.

I identified the following points so far:

1. Hand out existing responses until expired
2. Persist responses (is this just a config/default issue?)
3. Start update responses at server start/regular intervals
4. Use something better than HTTP/1.0 requests

I think 1) should be not too complicated code changes without
any big restructuring. I saw Ruediger already doing some changes.

The reason for 2) is not clear to me. Is this just a configuration
issue to have a persistent cache or is our giving up privileges
limiting here?

As to 3, starting a task at server start or after a certain interval,
do we have some infrastructure for this? Do we need something new?

On 4, it seems, we lack a good http(s) client. The code we use
for proxying is not easily reused for new connections, or? I see
more need for such a thing in the near future.

Feedback appreciated.



View raw message