httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hanno Böck <>
Subject Re: ocsp stapling improvements
Date Mon, 12 Jun 2017 22:48:07 GMT

On Mon, 12 Jun 2017 17:25:39 +0200
Stefan Eissing <> wrote:

> 1. Hand out existing responses until expired
> 2. Persist responses (is this just a config/default issue?)
> 3. Start update responses at server start/regular intervals
> 4. Use something better than HTTP/1.0 requests

1-3 covers the important issues, I'm not sure http/1.0 is a major
problem. Are there any problems with that / CAs that serve OCSP only
over HTTP/1.1?
(to be clear: certainly desirable to have a better solution here, but I
feel that isn't the most important issue.)

What I think needs also be handled:
* There's
  which indicates that faulty responses from the OCSP server may bring
  the server into a faulty state from which it doesn't recover. I
  haven't tried to reproduce this, but it certianly should be fixed as
  well, probably just some missing error check tough.
* Some of the existing options imho don't make any sense and should
  default to off and maybe even be forced off (so that setting them to
  "on" doesn't do anything). That includes SSLStaplingFakeTryLater and
  SSLStaplingReturnResponderErrors. Unless I'm missing something I
  don't see any situation in which stapling OCSP errors is desirable.

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

View raw message