Re: mod_ssl ssl_util_stapling.c warnings

[Rob Stradling <ro...@comodo.com>]

On Friday 24 December 2010 16:24:03 Igor Galić wrote:
<snip>
> If we want to see more extensive testing in the field,
> then this is the right time to make 'On' the default.

Steve, has Igor persuaded you?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)

[Rob Stradling <ro...@comodo.com>]

On Wednesday 09 Feb 2011 09:39:36 Rob Stradling wrote:
> On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
> > On Friday 24 December 2010 16:24:03 Igor Galić wrote:
> > <snip>
> > 
> > > If we want to see more extensive testing in the field,
> > > then this is the right time to make 'On' the default.
> > 
> > Steve, has Igor persuaded you?
> 
> I was hoping to generate a bit more discussion and to reach consensus on
> the "when" question here on-list, but never mind.
> 
> I've just filed "Bug 50740 - Enable OCSP Stapling by default".

On a related note, I've also just filed "Bug 50742 - Detect when the OpenSSL 
runtime library is vulnerable to CVE-2011-0014".  I think it makes sense to 
*not* enable OCSP Stapling by default when a vulnerable version of OpenSSL is 
being used.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 2/9/2011 5:15 AM, Joe Orton wrote:
> On Wed, Feb 09, 2011 at 09:39:36AM +0000, Rob Stradling wrote:
>> On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
>>> On Friday 24 December 2010 16:24:03 Igor Galić wrote:
>>> <snip>
>>>
>>>> If we want to see more extensive testing in the field,
>>>> then this is the right time to make 'On' the default.
>>>
>>> Steve, has Igor persuaded you?
>>
>> I was hoping to generate a bit more discussion and to reach consensus on the 
>> "when" question here on-list, but never mind.
> 
> Has anybody got results of testing the OCSP stapling code that they can 
> share?
> 
> I would be sympathetic to an "on by default for 2.3.N" campaign if the 
> lobbying came with some successful test results.  What code have you 
> tested, how did it work, what configuration, what responder vendor, etc?

FWIW www.apache.org was running OSCP for some time.  It's temporarily
disabled in light of the pending 1.0.0d update.

Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)

[Joe Orton <jo...@redhat.com>]

On Wed, Feb 09, 2011 at 09:39:36AM +0000, Rob Stradling wrote:
> On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
> > On Friday 24 December 2010 16:24:03 Igor Galić wrote:
> > <snip>
> > 
> > > If we want to see more extensive testing in the field,
> > > then this is the right time to make 'On' the default.
> > 
> > Steve, has Igor persuaded you?
> 
> I was hoping to generate a bit more discussion and to reach consensus on the 
> "when" question here on-list, but never mind.

Has anybody got results of testing the OCSP stapling code that they can 
share?

I would be sympathetic to an "on by default for 2.3.N" campaign if the 
lobbying came with some successful test results.  What code have you 
tested, how did it work, what configuration, what responder vendor, etc?

Regards, Joe

Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)

[Rob Stradling <ro...@comodo.com>]

On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
> On Friday 24 December 2010 16:24:03 Igor Galić wrote:
> <snip>
> 
> > If we want to see more extensive testing in the field,
> > then this is the right time to make 'On' the default.
> 
> Steve, has Igor persuaded you?

I was hoping to generate a bit more discussion and to reach consensus on the 
"when" question here on-list, but never mind.

I've just filed "Bug 50740 - Enable OCSP Stapling by default".

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online