You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/08/12 21:42:38 UTC

[Bug 56843] New: Support different OCSP stapling max ages

https://issues.apache.org/bugzilla/show_bug.cgi?id=56843

            Bug ID: 56843
           Summary: Support different OCSP stapling max ages
           Product: Apache httpd-2
           Version: 2.4.10
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: email@cs-ware.de

Right now, Apache httpd-2.4 only supports one SSLStaplingResponseMaxAge
parameter.

For some CAs (like StartSSL) you can obtain a certificate, however, the
validity of the certificate is not propagated to the CAs OCSP server
immediately (takes up to twenty minues). This causes that after setting up the
certificate in httpd and loading the site too quickly a "ocsp unknown status"
response is cached for the period of SSLStaplingResponseMaxAge (which is 2 days
by default). Within this time span no access to the site is possible with OCSP
stapling aware clients (restarting httpd doesn't help since the response is
cached - the only way to fix this is to set SSLStaplingResponseMaxAge to a very
low value, reload httpd, reset SSLStaplingResponseMaxAge to the old/default
value and reload again).

There should be a more elegant way to fix this - e.g. by allowing a much
shorter maximum caching age for "unknown status" responses.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org