Summary: in order to promote the ubiquity of OCSP stapling, please test Apache httpd 2.3.x and submit your results. Then, Apache might switch it on by default.
Apache httpd 2.3.x has recently entered beta, so presumably a stable 2.4.0 release is on the horizon. This will be the first stable release of httpd that supports OCSP Stapling, coming some 4 years after Mozilla donated $30K to the OSSI[0] to get the code written. At present, 2.3.x has OCSP Stapling disabled by default - the site operator has to add some config directives in order to enable it. This makes it much less likely it will achieve wide use. A few months ago Rob Stradling of Comodo filed an enhancement request[1] to "Enable OCSP Stapling by default". On the httpd-dev mailing list, Joe Orton asked[2]: 'Has anybody got results of testing the OCSP stapling code that they can share? I would be sympathetic to an "on by default for 2.3.N" campaign if the lobbying came with some successful test results. What code have you tested, how did it work, what configuration, what responder vendor, etc?' There have been no replies... yet. So, please consider testing the OCSP stapling feature in httpd 2.3.x with your OCSP servers/clients, and then posting your results to the httpd-dev thread[2]. (Subscribe here: [3]). This might involve installing a copy of the server, and then using certs from a number of different providers to check if the server correctly obtained the OCSP response, correctly stapled it, and clients correctly used it instead of requesting another. If enough Mozilla community members can spare the time to do this, then we may well be able to persuade the httpd developers to enable OCSP stapling by default. Gerv [0] https://www.mozilla.org/grants/open-source-software-institute.html [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=50740 [2] http://mail-archives.apache.org/mod_mbox/httpd- dev/201102.mbox/%3c20110209111550.ga6...@redhat.com%3E [3] http://httpd.apache.org/lists.html#http-dev -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto