On Thu, Oct 30, 2014 at 4:54 PM, Hanno Böck <ha...@hboeck.de> wrote:
> Am Thu, 30 Oct 2014 10:51:15 -0400 > schrieb Jeff Trawick <traw...@gmail.com>: > > > # Define a relatively small cache for OCSP Stapling using > > # the same mechanism that is used for the SSL session cache > > # above. If stapling is used with more than a few certificates, > > # the size may need to be increased. (AH01929 will be logged.) > > Could this be made a bit more precise? > What's "more than a few certificates"? Preferrably there should be some > rough calculation (certs*Xkb) that gives a safe margin for the space. > I don't know if a tighter language will actually help. * The 32K and "few" roughly matches the largest per-certificate responses that mod_ssl can handle. So that's the "safe margin". * I have read that the responses can vary from a few hundred bytes to a few K bytes, and I have seen a few in the 500-600 byte range, so I expect that for most cases there will actually be a "huge margin" with the default config. With LogLevel TraceN you can see the cache stores for the responses. > > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: BBB51E42 > -- Born in Roswell... married an alien... http://emptyhammock.com/