https://bz.apache.org/bugzilla/show_bug.cgi?id=64306
--- Comment #1 from [email protected] --- At the face of it, this would be an error on the part of the OCSP proxy. In all likelihood it didn't respond timely to the OCSP query from Apache. There are a couple of non trivial things that I saw in the stapling code of Apache that could go wrong with a proxy. Apache reads the OCSP proxy answer in HTTP 1.0 fashion. So, if the OCSP proxy returns the answer, but doesn't cut the connection immediately at the end of it, there is a risk of Apache not receiving it before the timeout, even if it is in fact completely sent. It may also be that the OCSP proxy couldn't get a response from the origin OCSP responder itself and didn't have anything cached. If it just hangs up before Apache times out its request, it won't be a problem apart from the response not being stapled, but if it keeps Apache waiting, then you get a renewal error in Apache. So, an OCSP proxy needs to have a timeout itself, that is lower then that of the Apache timeout setting. The second, but unlikely, thing is that a client may be sending unsupported stapling extensions in its own request. Apache passes through the stapling request extensions it receives from the client, as is required by OCSP stapling RFC. It may just so happen that a client that triggers the OCSP renewal in Apache sent an extension that the proxy you uses gets stuck with. But again this seems unlikely. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
