Heya, the beautiful people at MOSS, Mozilla's Open Source Support, decided to give me a grant for Let's Encrypt and Stapling improvements in Apache! Big thanks!
I described what I plan to do here: https://github.com/icing/mod_md/wiki/V2Design There are also github issues for collecting feedback and I pointed people to the Apache users mailing list as well. Besides the support for ACMEv2, which is in-scope of the module, I plan to add a new OCSP stapling implementation in the module as well. That may lead to some head scratching here and I want to explain my reasoning and, ideally, get feedback from you. - Any new OCSP stapling implementation must, in the 2.4.x release line, live along side the existing one. We will, with out backward compatibility requirements, never be able to switch that one off in 2.4.x. - We need a new implementation in the near future. OCSP responder downtimes become more threatening for the web, just because everyone goes https: if you look at browser statistics. - The infrastructure is there in mod_md. A curl http client, proxy configuration and the dependency on mod_watchdog already exist. Linkage to openssl (or its cousins) is there as well. - OCSP answers will be persisted in mod_md's file system store and shared between child processes that way. - Of course, the plan is to have it inactive by default, as shipped by us. Admins need to turn it on. If that can be done per vhost, MDomain or globally remains to be discussed. Cheers, Stefan
