> -----Ursprüngliche Nachricht----- > Von: Dr Stephen Henson [mailto:shen...@oss-institute.org] > Gesendet: Freitag, 11. September 2009 11:46 > An: dev@httpd.apache.org > Betreff: Re: OCSP stapling in mod_ssl - use as OCSP cache for client > authentication > > Now to the actual query, if I understand it correctly. That patch works > in > reverse to your problem. It is designed to stop thousands of OCSP > requests from > SSL clients connecting to an Apache server and all simultaneously > slamming an > OCSP responder attempting to check the status of that server > certificate.
[NM] Right, the patch basically works reverse to our way. > What I think you are trying to do is to include a cache for OCSP > queries the > proxy itself makes which is IMHO the best solution. So instead of > always > consulting the OCSP responder it instead checks the cache to see if > there is a > valid OCSP response in there, if it is expired or invalid then and only > then > would it renew the response by making an actual query. Doing things > that way > doesn't need OCSP stapling support in the server(s). > > If that's correct then you could reuse some of the OCSP response query > and > caching code in the stapling patch. It implements similar > functionality. [NM] That's it, exactly. And I've come to the conclusion, too, that reusing some of your code for our purpose would be the best solution. Hopefully, we get it right. ;) Mit freundlichen Grüßen / Kind regards Natanael Mignon IT-Dienstleistungen: beraten | planen | umsetzen | betreiben __________________________________________________________________________ fon (+49) 511 260 911-0 (DW: - 13) fax (+49) 511 318 039-9 eMail n...@michael-wessel.de web www.michael-wessel.de Bitte senden Sie wichtige E-Mails stets auch an serv...@michael-wessel.de, um sicherzustellen, dass diese zeitnah bearbeitet werden.
