https://issues.apache.org/bugzilla/show_bug.cgi?id=57131
Bug ID: 57131
Summary: OCSP Stapling scalability concern
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
This is essentially the global stapling mutex and the work which requires
holding that mutex during a handshake.
All handshakes are blocked during any stapling activity for any
server/certificate, including checking the cache for an OCSP response but also
for accessing a responder over the network.
Slow responders holding up all handshakes could necessitate awkward attempts to
configure various timeouts to try to work around the problem, such as trying to
make the timeout small enough to avoid a mini-outage but large enough to handle
delays commonly encountered with that responder.
mod_ssl shouldn't block handshakes for certificates for which it has a
fresh-enough response to give to the client.
It would definitely be helpful to be able to obtain an existing, valid response
(the normal case) with near-zero overhead.
It would definitely be helpful to prefetch responses in a daemon process/thread
well before expiration.
It may be helpful to return a "tryLater" response if an existing response has
expired and a query is currently being performed for the selected certificate.
This issue is at least somewhat related to issue 57121.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
