You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/08/12 21:42:38 UTC
[Bug 56843] New: Support different OCSP stapling max ages
https://issues.apache.org/bugzilla/show_bug.cgi?id=56843
Bug ID: 56843
Summary: Support different OCSP stapling max ages
Product: Apache httpd-2
Version: 2.4.10
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: email@cs-ware.de
Right now, Apache httpd-2.4 only supports one SSLStaplingResponseMaxAge
parameter.
For some CAs (like StartSSL) you can obtain a certificate, however, the
validity of the certificate is not propagated to the CAs OCSP server
immediately (takes up to twenty minues). This causes that after setting up the
certificate in httpd and loading the site too quickly a "ocsp unknown status"
response is cached for the period of SSLStaplingResponseMaxAge (which is 2 days
by default). Within this time span no access to the site is possible with OCSP
stapling aware clients (restarting httpd doesn't help since the response is
cached - the only way to fix this is to set SSLStaplingResponseMaxAge to a very
low value, reload httpd, reset SSLStaplingResponseMaxAge to the old/default
value and reload again).
There should be a more elegant way to fix this - e.g. by allowing a much
shorter maximum caching age for "unknown status" responses.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org