I talked to the people orignally writing our ssl OCSP code regarding feedback we got from the Let's Encrypt server outage [1]. We agreed that some valid points for improvement were raised and we need a discussion about what should be done about it, here.
I identified the following points so far: 1. Hand out existing responses until expired 2. Persist responses (is this just a config/default issue?) 3. Start update responses at server start/regular intervals 4. Use something better than HTTP/1.0 requests I think 1) should be not too complicated code changes without any big restructuring. I saw Ruediger already doing some changes. The reason for 2) is not clear to me. Is this just a configuration issue to have a persistent cache or is our giving up privileges limiting here? As to 3, starting a task at server start or after a certain interval, do we have some infrastructure for this? Do we need something new? On 4, it seems, we lack a good http(s) client. The code we use for proxying is not easily reused for new connections, or? I see more need for such a thing in the near future. Feedback appreciated. Cheers, -Stefan [1] https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
