You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/11/09 09:39:05 UTC
[Bug 60182] SSLStaplingFakeTryLater Deviates From Documented
Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On
https://bz.apache.org/bugzilla/show_bug.cgi?id=60182
--- Comment #15 from raj <vr...@dikitin.com> ---
<a
href="https://www.baliapur.com/2021/10/what-is-ott-platform-full-information-in-hindi.html">ओटीटी
प्लेटफॉर्म क्या है</a>
<a href="https://www.baliapur.com/2021/10/wifi-calling-kaise-kare.html">[WiFi
Calling] वाईफाई कॉलिंग क्या है : Android या iPhone पर कैसे शुरू करें? </a>
<a
href="https://www.baliapur.com/2021/10/facebook-ka-malik-kaun-hai-aur-kis-desh-ka-app.html">फेसबुक
का मालिक कौन है?</a>
<a
href="https://www.baliapur.com/2021/10/how-does-truecaller-know-your-name.html">Truecaller
Safe : ट्रू कॉलर को आपका नाम कैसे पता चलता है?</a>
<a
href="https://www.baliapur.com/2021/10/instagram-account-ko-kaise-surakshit-rakhen.html">10
आसान तरीके से अपने इंस्टाग्राम अकाउंट को सुरक्षित रखें 2021</a>
<a
href="https://www.baliapur.com/2021/10/digital-health-id-card-ke-liye-aavedan-kaise-karen.html">डिजिटल
हेल्थ आईडी कार्ड के लिए आवेदन कैसे करें? यहाँ जाने डिटेल</a>
<a
href="https://www.baliapur.com/2021/09/best-new-features-coming-to-whatsapp.html">WhatsApp
New Features: बेहतरीन नए फीचर बदल देंगे यूजर्स का एक्सपीरियंस</a>
<a
href="https://www.baliapur.com/2021/09/cholesterol-kam-karne-ki-exercise.html">सबसे
आसान उपाय 5 मिनट में कोलेस्ट्रॉल कम करने की एक्सरसाइज</a>
<a
href="https://www.baliapur.com/2021/09/internet-se-free-mein-fake-call-kaise-karen.html">इंटरनेट
से फ्री में फेक कॉल कैसे करें</a>
<a
href="https://www.baliapur.com/2021/09/download-best-photo-editing-android-apps.html">टॉप
10+ बेस्ट फोटो एडिटिंग ऐप</a>
<a
href="https://www.baliapur.com/2021/09/game-khel-kar-paise-kaise-kamaye.html">गेम
खेल कर पैसा कैसे कमाए [ 25+ Game ] मोबाइल से पैसे कमाने का तरीका</a>
<a
href="https://www.baliapur.com/2021/09/simple-home-remedies-treat-dandruff-naturally.html">डैंड्रफ
का प्राकृतिक रूप से इलाज करने के 5 घरेलू उपचार</a>
<a
href="https://www.baliapur.com/2021/09/iphone-to-android-whatsapp-chat-history-transfer.html">व्हाट्सएप
चैट हिस्ट्री को आईफोन से एंड्रॉयड में कैसे ट्रांसफर करें? जाने यह तरीका </a>
<a
href="https://www.baliapur.com/2021/08/youtube-video-download-kaise-karen.html">यूट्यूब
और फेसबुक से वीडियो कैसे डाउनलोड करें</a>
(In reply to gmoniker from comment #11)
> So, then we have to accept that OCSP stapling in 2.4 mod_ssl is
> fundamentally broken?
>
> I spent some more time looking at the mod_ssl stapling code. Unfortunately
> this did not improve my outlook of finding a robust stapling config for 2.4.
>
> I had somewhat adopted the feeling that running with `ReturnResponderErrors
> off` and `FakeTryLater` would be a configuration that was nearly *good*.
> Just fix the sending out of a TryLater if the OCSP responder was not
> reachable and it stays up when the OCSP responder is blocked from answering
> and all clients that I know of can reach the site and actually show it to
> the user, unless they have set it to mandatory revocation checking and the
> client locally also cannot find another source of revocation info.
>
> However, I have now noticed that if you run with `ReturnResponderErrors
> off`, then if a OCSP responder answers with a authoritative revocation, then
> it is handled by the code as if it was an error that needs to be suppressed,
> and it stops the revocation from reaching the client. Well............ That
> means running with responder errors of, becomes pointless. If you never
> return a revocation, then it is completely useless.
>
> So for 2.4 mod_ssl, two things must be fixed. Not send out a faketrylater
> AND NOT keep perfectly good revocations from going out. And sending out
> responses that can't be parsed as basic OCSP responses should also be
> stopped.
>
> For the hosting operator with a run of the mill production server, this
> leaves little options. Running with `ResponderErrors off` means that
> cosmetically it ticks the security boxes of delivering OCSP stapling, but it
> will never send out revocations it received, cache an outage unnecessarily
> long and dupe Firefox users when the OCSP responder is blocked. Running with
> `ResponderErrors on` means that an OCSP responder that is blocked from
> responding also delivers a much less responsive website because for each new
> TLS connection it will try again to get an OCSP response cached. And in both
> settings, it will also return OCSP responses that can't be parsed by openSSL
> at all.
>
> So, for the moment the hosting operator with Apache can only look to
> external OCSP caching proxies, to have meaning OCSP stapling, until such
> moment that mod_md becomes available in 2.2 or higher.
>
> And incidentally, if I look at trunk, the situation is not improving. In
> trunk, a renewal failure will be translated into a TLS Fatal hangup. So, if
> you run with OCSP stapling enabled with just mod_ssl then if an OCSP
> responder is unreachable or produces garbage just when the cached response
> expired, then from that moment until an OCSP response becomes available, NO
> client will be able to reach the site.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org