> Am 13.06.2017 um 00:48 schrieb Hanno Böck <ha...@hboeck.de>: > > Hi, > > On Mon, 12 Jun 2017 17:25:39 +0200 > Stefan Eissing <stefan.eiss...@greenbytes.de> wrote: > >> 1. Hand out existing responses until expired >> 2. Persist responses (is this just a config/default issue?) >> 3. Start update responses at server start/regular intervals >> 4. Use something better than HTTP/1.0 requests > > 1-3 covers the important issues, I'm not sure http/1.0 is a major > problem. Are there any problems with that / CAs that serve OCSP only > over HTTP/1.1? > (to be clear: certainly desirable to have a better solution here, but I > feel that isn't the most important issue.)
Agreed. > What I think needs also be handled: > * There's > https://bz.apache.org/bugzilla/show_bug.cgi?id=59049 > which indicates that faulty responses from the OCSP server may bring > the server into a faulty state from which it doesn't recover. I > haven't tried to reproduce this, but it certianly should be fixed as > well, probably just some missing error check tough. > * Some of the existing options imho don't make any sense and should > default to off and maybe even be forced off (so that setting them to > "on" doesn't do anything). That includes SSLStaplingFakeTryLater and > SSLStaplingReturnResponderErrors. Unless I'm missing something I > don't see any situation in which stapling OCSP errors is desirable. Will have a look. - Stefan > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
