https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
--- Comment #12 from Fabian Wenk <[email protected]> --- (In reply to [email protected] from comment #11) > Since I've been using the ocsp_proxy workaround and increased the timeout to > 30 seconds with "SSLStaplingResponderTimeout 30", I've never had any issue, > but this is just a workaround, and I don't see why this bug should not be > fixed. I have used below settings without ocsp_proxy for about 8 years without any issues so far. They are based on https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html SSLUseStapling On SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)" SSLStaplingResponderTimeout 2 SSLStaplingReturnResponderErrors off SSLStaplingFakeTryLater off SSLStaplingStandardCacheTimeout 86400 If I remember correctly, the 'must staple' can not be activated, as there may be cases when it won't return OCSP. I did monitor my server and have never seen an outage so far. But I am using Let's Encrypt certificates on my servers, and as they have turned off their OCSP responder it is gone now. In my notes I still have a pending (but now obsolete) tasks to replace the above 'SSLUseStapling' with 'MDStapleOthers' from mod_md (you do not need to use ACME from it) as mention from Ruediger Pluem in comment #7. Back then I had found some more details about this at https://github.com/icing/mod_md#how-to-staple-all-my-certificates as well. Maybe this is something which may work for you as well. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
