[
https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303582#comment-14303582
]
James Peach commented on TS-3362:
---------------------------------
Why should we not staple the negative response? If the user agent has to go and
fetch it, that's an opportunity for an attacker to interrupt transaction (ie.
an attacker could make the UA believe the OCSP server is unavailable). We
should have a much better reason for making this change than what has been
presented so far.
> Do not staple negative OCSP response
> ------------------------------------
>
> Key: TS-3362
> URL: https://issues.apache.org/jira/browse/TS-3362
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Feifei Cai
> Attachments: TS-3362.diff
>
>
> When get OCSP response, we check it before cache/staple it. If it's negative,
> I think we'd better discard it instead of sending back to user agent. This
> would not increase security risk: User agent would query CA for OCSP response
> if ATS does not staple it with certificate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
