On 4 Oct 2015, at 11:38, Kaspar Brand wrote: > > As far as the mod_ssl side is related, it seems to me that for the > "SSLStaplingReturnResponderErrors off" case, we should make sure that we only > staple responses with status "good" (i.e. OCSP_RESPONSE_STATUS_SUCCESSFUL and > V_OCSP_CERTSTATUS_GOOD for the cert).
If the OCSP response is successful but the status isn't V_OCSP_CERTSTATUS_GOOD, I'd want httpd to at least log a warning (as well as not stapling the OCSP information). Maybe even add a Warning: header for any client that's interested. I can attempt a patch for this if other people think it'd be useful. -- Tim Bannister – is...@c8h10n4o2.org.uk
