https://issues.apache.org/bugzilla/show_bug.cgi?id=57121
Bug ID: 57121
Summary: ocsp stapling should not pass temporary server outages
to clients
Product: Apache httpd-2
Version: 2.4.6
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
those mod_ssl oscp default values are set here:
SSLStaplingResponseMaxAge -1 (so the entries should be valid a much more than
an hour)
SSLStaplingStandardCacheTimeout 3600 (so after one hour a new ocsp request is
being done by mod_ssl)
not I had saw the case that after one hour mod_ssl tried to refresh the ocsp
rely from the ocsp server but i see in the proxy log that the ocsp server could
not be reached. Now instead of attaching the previous (still valid) ocsp reply
to the server certificate to the clients it was attaching a "try later" ocsp
error in the reply to the client. As a result of that the client (firefox 33
here) was displaying an error message that there is a problem with the ocsp
status of the server certificate.
If mod_ssl still have an old but valid ocsp reply in the cache it should never
replace that with a "try later" ocsp error. Also setting
"SSLStaplingReturnResponderErrors off" is not an option because the site might
have a must-staple policy defined.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
