At this late in the game, I would prefer to do this post-2.3.10... safer that way.
On Dec 13, 2010, at 1:09 AM, Kaspar Brand wrote: > On 12.12.2010 13:05, Dr Stephen Henson wrote: >> It also makes sense to add a directive to make the OCSP timeout configurable. >> This can be done in the OCSP stapling code but not the OCSP code itself. The >> current default is (I think) the same as the http request timeout which is >> way >> too long in practice: if an OCSP responder doesn't respond in a few seconds >> it >> isn't likely to respond at all. > > Agreed, attached is v2 of the patch. It adds an SSLOCSPResponderTimeout > directive, which defaults to 10 seconds. I also added the cfgMergeInt > statements in ssl_engine_config.c, which I forgot in v1 by mistake. > > There are actually additional improvements I would like to see with the > OCSP (clientauth) checking - in particular, having a cache (possibly > reusing code from the stapling code)... but I was hoping that we could > get the proposed fixes in for 2.3.10, at least. Reviews and/or commits > are much appreciated - thanks! > > Kaspar > <mod_ssl-ocsp-v2.patch>
