You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/10/10 09:54:46 UTC

[Bug 61818] OCSP "SSLUseStapling on" completely blocking the server when something is off with the responder

https://bz.apache.org/bugzilla/show_bug.cgi?id=61818

Michael Scholl <mi...@core-networks.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michael.scholl@core-network
                   |                            |s.de

--- Comment #5 from Michael Scholl <mi...@core-networks.de> ---
Created attachment 37492
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37492&action=edit
Report errors on unreachable ocsp responder addresses

We had this issue yesterday and it took us long till we figured out stapling is
the problem. I attached a patch that helps identifying connection problems to
ocsp responder addresses more easily.

The problem is that the Workers have no timeout how long they wait in queue to
make an OCSP request. There should be some SSLStaplingQueueTimeout option.

Maybe it would also be good if the server remembers responder addresses that
had been unreachable and ignores these addresses for some time. This would
speed up the ocsp requests on problems.

Our current solution is to set the following options:

SSLStaplingResponderTimeout 1
SSLStaplingStandardCacheTimeout 86400

This works for us but for servers with thousands of certificates this could
still be a problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org