[Bug 57131] OCSP Stapling scalability concern

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57131

--- Comment #1 from Jeff Trawick <tr...@apache.org> ---
As of httpd 2.4.13, this part of the original description is resolved:

------------------
All handshakes are blocked during any stapling activity for any
server/certificate, including checking the cache for an OCSP response but also
for accessing a responder over the network.

Slow responders holding up all handshakes could necessitate awkward attempts to
configure various timeouts to try to work around the problem, such as trying to
make the timeout small enough to avoid a mini-outage but large enough to handle
delays commonly encountered with that responder.

mod_ssl shouldn't block handshakes for certificates for which it has a
fresh-enough response to give to the client.

It would definitely be helpful to be able to obtain an existing, valid response
(the normal case) with near-zero overhead.
-------------------

The issue remains open post-2.4.13 as there is still a scalability concern as
larger and larger numbers of certificates are handled by the same server (or
some responder is slow): Only one refresh can be done at a time, all handshakes
needing a refreshed OCSP response are blocked.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org