On Wednesday 22 December 2010 16:11:21 Dr Stephen Henson wrote: > On 22/12/2010 15:32, Rob Stradling wrote: > > On Friday 03 December 2010 10:31:24 Rob Stradling wrote: > > <snip> > > > >> Would it be possible to make OCSP Stapling enabled by default (when the > >> server certificate contains an OCSP Responder URL in the AIA extension) > >> instead of disabled by default? > >> (Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling") > > > > Steve et al, > > > > Could you possibly spare a moment to answer this question? > > I was seeing if anyone else would comment on this first. It is of course > technically possible. > > The OCSP stapling code requires an additional directive to enable an OCSP > stapling cache: so this would break existing configuration files if enabled > by default.
Would it be possible to change the OCSP stapling code so that it will setup the OCSP stapling cache with some sensible default settings if the SSLStaplingCache directive is not specified anywhere in the config files? > More significantly the code hasn't been tested extensively "in the field" > so there may be problems that have yet to be uncovered. That's a fair point. > My personal opinion would be to, at least initially, require an explicit > directive to enable it and leave the option in future to have it enabled by > default. Makes sense. "tested extensively in the field" isn't likely to happen until httpd 2.4.x is released and significant numbers of sites upgrade. Hopefully it would be "safe" to enable it by default in a fairly early 2.4.x point release. > Anyone else have any thoughts on the matter? > > Steve. Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
