Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Sep 6, 2015 8:09 AM, "Kaspar Brand" wrote: > > On 05.09.2015 13:06, Tim Bannister wrote: > > It's not just conventional browsers. I think automated / embedded > > HTTP clients will also benefit from stapling, either because > > networking filters would block a conversation between the client an

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

Am 06.09.2015 um 15:06 schrieb Kaspar Brand: Taking into account that OCSP responders from the big players are running on fairly robust infrastructure these days (cf. the sr.symcd.com example, aka ocsp.verisign.net, aka ocsp.ws.symantec.com.edgekey.net), I'm not buying the "OCSP is unreliable"

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 05.09.2015 14:23, Jeff Trawick wrote: > On 09/04/2015 10:59 AM, Kaspar Brand wrote: >>> 1. The default configuration should not trigger unsolicited outgoing >>> queries to untrusted systems, for both a) and b), that's how I would put it. > > Re: "unsolicited": > > Key words/phrases from the ot

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 05.09.2015 13:06, Tim Bannister wrote: > It's not just conventional browsers. I think automated / embedded > HTTP clients will also benefit from stapling, either because > networking filters would block a conversation between the client and > the CA's OCSP responder, or the extra latency from us

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 05.09.2015 12:53, Ben Laurie wrote: > On Sat, 5 Sep 2015 at 09:32 Kaspar Brand wrote: >> I'm also very sceptical that a higher percentage of handshakes with >> stapled responses (how much exactly?) will lead browser vendors to >> switch to hard fail - as the test-sspev.verisign.com example from

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 09/04/2015 10:59 AM, Kaspar Brand wrote: On 02.09.2015 01:54, Jeff Trawick wrote: On 08/30/2015 02:30 AM, Kaspar Brand wrote: today's situation, because this assessment misses the fact that with the current RFC-6066-based implementation, stapling can't fully achieve the goal of obviating OCS

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 5 Sep 2015, at 11:53, Ben Laurie wrote: > On Sat, 5 Sep 2015 at 09:32 Kaspar Brand wrote: >> On 04.09.2015 17:54, Rob Stradling wrote: >>> Today, roughly 25% of HTTPS servers on the Internet have OCSP stapling >>> enabled. Browsers aren't likely to start hard-failing by default until >>> th

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Sat, 5 Sep 2015 at 09:32 Kaspar Brand wrote: > On 04.09.2015 17:54, Rob Stradling wrote: > > Today, roughly 25% of HTTPS servers on the Internet have OCSP stapling > > enabled. Browsers aren't likely to start hard-failing by default until > > that % is a lot higher. > > > > The vast majority

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 04.09.2015 17:54, Rob Stradling wrote: > Today, roughly 25% of HTTPS servers on the Internet have OCSP stapling > enabled. Browsers aren't likely to start hard-failing by default until > that % is a lot higher. > > The vast majority of the servers that have OCSP stapling enabled are > running

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 04/09/15 15:59, Kaspar Brand wrote: > On 02.09.2015 01:54, Jeff Trawick wrote: >> On 08/30/2015 02:30 AM, Kaspar Brand wrote: >>> today's situation, because this assessment misses the fact that with the >>> current RFC-6066-based implementation, stapling can't fully achieve the >>> goal of obvia

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 02.09.2015 01:54, Jeff Trawick wrote: > On 08/30/2015 02:30 AM, Kaspar Brand wrote: >> today's situation, because this assessment misses the fact that with the >> current RFC-6066-based implementation, stapling can't fully achieve the >> goal of obviating OCSP queries for the clients - all publi

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 08/30/2015 02:30 AM, Kaspar Brand wrote: On 28.08.2015 19:27, Jeff Trawick wrote: For one, it is appropriate for the default config is there to enable practices which are reasonable in most situations, and OCSP Stapling is widely accepted as an appropriate feature for HTTP servers to enable.

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 08/29/2015 08:10 PM, William A Rowe Jr wrote: On Aug 29, 2015 1:49 PM, "Jeff Trawick" > wrote: > > On 08/28/2015 04:17 PM, Tim Bannister wrote: >> >> Jeff Trawick mailto:traw...@gmail.com>> wrote: >>> >>> >>> As of now there's still a veto on my suggestion of enabli

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

Kaspar Brand wrote: > On 28.08.2015 19:27, Jeff Trawick wrote: > > For one, it is appropriate for the default config is there to enable > > practices which are reasonable in most situations, and OCSP Stapling is > > widely accepted as an appropriate feature for HTTP servers to enable. > > I have

Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk

On 29.08.2015 17:56, olli hauer wrote: > On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote: >> Thanks for the detailed explanation. So yes OCSP stapling is really >> beneficial if it is possible for the server admin to set it up. But >> it likely requires additional configuration steps outsi

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 28.08.2015 19:27, Jeff Trawick wrote: > For one, it is appropriate for the default config is there to enable > practices which are reasonable in most situations, and OCSP Stapling is > widely accepted as an appropriate feature for HTTP servers to enable. I have some doubts whether "widely accep

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Aug 29, 2015 1:49 PM, "Jeff Trawick" wrote: > > On 08/28/2015 04:17 PM, Tim Bannister wrote: >> >> Jeff Trawick wrote: >>> >>> >>> As of now there's still a veto on my suggestion of enabling stapling by >>> default in the httpd trunk config. >> >> Would that default need to be backported to 2.

Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk

On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote: > > >> -Ursprüngliche Nachricht- >> Von: Rob Stradling [mailto:rob.stradl...@comodo.com] >> Gesendet: Freitag, 3. Juli 2015 12:01 >> An: dev@httpd.apache.org >> Betreff: Re: [RFC] Enable OCS

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

Jeff Trawick wrote: > > >As of now there's still a veto on my suggestion of enabling stapling by >default in the httpd trunk config. Would that default need to be backported to 2.4.x? If it can be on by default for trunk/2.5.x, and off by default in earlier releases, this should surprise very fe

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Mon, Jul 13, 2015 at 3:08 AM, Ruediger Pluem wrote: > > > On 07/11/2015 08:55 PM, William A Rowe Jr wrote: > > > If you are suggesting we shouldn't change the compiled-in default, I can > > agree, POLS (Principal Of Least Surprise). If you are suggesting the > default > > config shouldn't ref

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 07/11/2015 08:55 PM, William A Rowe Jr wrote: > If you are suggesting we shouldn't change the compiled-in default, I can > agree, POLS (Principal Of Least Surprise). If you are suggesting the default > config shouldn't reflect the ability to efficiently handle OCSP by stapling, > here > I

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Sat, Jul 11, 2015 at 2:55 PM, William A Rowe Jr wrote: > We can have a dialog about the best behavior of our default config. > However... > > On Sat, Jul 11, 2015 at 9:56 AM, Kaspar Brand > wrote: > >> On 01.07.2015 14:27, Ben Laurie wrote: >> > On 1 November 2014 at 09:05, Kaspar Brand >> w

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

We can have a dialog about the best behavior of our default config. However... On Sat, Jul 11, 2015 at 9:56 AM, Kaspar Brand wrote: > On 01.07.2015 14:27, Ben Laurie wrote: > > On 1 November 2014 at 09:05, Kaspar Brand > wrote: > >> The fundamental objection I have to enabling stapling by defau

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 01.07.2015 14:27, Ben Laurie wrote: > On 1 November 2014 at 09:05, Kaspar Brand wrote: >> The fundamental objection I have to enabling stapling by default in our >> GA releases is that it would enable a "phoning home" feature (to the >> CA's OCSP responders) as a side effect of configuring a ce

Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk

On Jul 3, 2015 9:37 AM, "Rob Stradling" wrote: > > On 03/07/15 11:13, Plüm, Rüdiger, Vodafone Group wrote: > > >> Thanks for the detailed explanation. So yes OCSP stapling is really beneficial >> if it is possible for the server admin to set it up. But it likely requires additional >> configurati

Re: AW: [RFC] Enable OCSP Stapling by default in httpd trunk

On 03/07/15 11:13, Plüm, Rüdiger, Vodafone Group wrote: Thanks for the detailed explanation. So yes OCSP stapling is really beneficial if it is possible for the server admin to set it up. But it likely requires additional configuration steps outside of httpd to make the OCSP responder reachable

AW: [RFC] Enable OCSP Stapling by default in httpd trunk

> -Ursprüngliche Nachricht- > Von: Rob Stradling [mailto:rob.stradl...@comodo.com] > Gesendet: Freitag, 3. Juli 2015 12:01 > An: dev@httpd.apache.org > Betreff: Re: [RFC] Enable OCSP Stapling by default in httpd trunk > > On 02/07/15 19:03, Ruediger Pluem wrote: >

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 02/07/15 19:03, Ruediger Pluem wrote: Just to be sure I don't miss anything. This is not about disabling OCSP, its about disabling OCSP stapling by default. Maybe I have a wrong understanding of OCSP stapling, but to me stapling only provides performance improvements, not security improveme

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

nlau...@gmail.com> > [mailto:benlau...@gmail.com <mailto:benlau...@gmail.com>] Im > Auftrag von > > Ben Laurie > > Gesendet: Mittwoch, 1. Juli 2015 14:27 > > An: dev@httpd.apache.org <mailto:dev@httpd.apache.org> > > Betreff: Re: [RFC] Ena

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

h, 1. Juli 2015 14:27 > > An: dev@httpd.apache.org > > Betreff: Re: [RFC] Enable OCSP Stapling by default in httpd trunk > > > > On 1 November 2014 at 09:05, Kaspar Brand > > wrote: > > > On 30.10.2014 15:51, Jeff Trawick wrote: > > >> IMO the present concer

AW: [RFC] Enable OCSP Stapling by default in httpd trunk

> -Ursprüngliche Nachricht- > Von: benlau...@gmail.com [mailto:benlau...@gmail.com] Im Auftrag von > Ben Laurie > Gesendet: Mittwoch, 1. Juli 2015 14:27 > An: dev@httpd.apache.org > Betreff: Re: [RFC] Enable OCSP Stapling by default in httpd trunk > > On 1 Novemb

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 1 November 2014 at 09:05, Kaspar Brand wrote: > On 30.10.2014 15:51, Jeff Trawick wrote: >> IMO the present concerns with OCSP Stapling are: >> >> * not so clear that it has seen enough real-world testing; commented out >> sample configs and better documentation will help, as will enabling by >

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On 30.10.2014 15:51, Jeff Trawick wrote: > IMO the present concerns with OCSP Stapling are: > > * not so clear that it has seen enough real-world testing; commented out > sample configs and better documentation will help, as will enabling by > default in trunk (just a little?) > * related bugs 571

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

On Thu, Oct 30, 2014 at 4:54 PM, Hanno Böck wrote: > Am Thu, 30 Oct 2014 10:51:15 -0400 > schrieb Jeff Trawick : > > > # Define a relatively small cache for OCSP Stapling using > > # the same mechanism that is used for the SSL session cache > > # above. If stapling is used with more tha

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

Am Thu, 30 Oct 2014 10:51:15 -0400 schrieb Jeff Trawick : > # Define a relatively small cache for OCSP Stapling using > # the same mechanism that is used for the SSL session cache > # above. If stapling is used with more than a few certificates, > # the size may need to be increased.

[RFC] Enable OCSP Stapling by default in httpd trunk

IMO the present concerns with OCSP Stapling are: * not so clear that it has seen enough real-world testing; commented out sample configs and better documentation will help, as will enabling by default in trunk (just a little?) * related bugs 57121 and 57131 A simple way to help with the broader i