Hi, On Mon, 12 Jun 2017 17:25:39 +0200 Stefan Eissing <stefan.eiss...@greenbytes.de> wrote:
> 1. Hand out existing responses until expired > 2. Persist responses (is this just a config/default issue?) > 3. Start update responses at server start/regular intervals > 4. Use something better than HTTP/1.0 requests 1-3 covers the important issues, I'm not sure http/1.0 is a major problem. Are there any problems with that / CAs that serve OCSP only over HTTP/1.1? (to be clear: certainly desirable to have a better solution here, but I feel that isn't the most important issue.) What I think needs also be handled: * There's https://bz.apache.org/bugzilla/show_bug.cgi?id=59049 which indicates that faulty responses from the OCSP server may bring the server into a faulty state from which it doesn't recover. I haven't tried to reproduce this, but it certianly should be fixed as well, probably just some missing error check tough. * Some of the existing options imho don't make any sense and should default to off and maybe even be forced off (so that setting them to "on" doesn't do anything). That includes SSLStaplingFakeTryLater and SSLStaplingReturnResponderErrors. Unless I'm missing something I don't see any situation in which stapling OCSP errors is desirable. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42