https://bz.apache.org/bugzilla/show_bug.cgi?id=61531
Bug ID: 61531 Summary: SSLStaplingReturnResponderErrors should return last cached response if is an error upstream Product: Apache httpd-2 Version: 2.4.27 Hardware: PC OS: Windows NT Status: NEW Severity: normal Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: chrysa...@chrysalisnet.org Target Milestone: --- Given the development of must-staple, apache now needs to implement a sane behaviour. The SSLStaplingReturnResponderErrors setting when set to off will ommit any kind of response which will cause a must-staple enabled domain to generate an error, instead apache should return the last known non error response whether that is a revoked certificate or a non revoked certificate allowing to avoid downtimes related to temporary short term ocsp server outages. In addition the default setting for SSLStaplingStandardCacheTimeout should be much higher, I suggest 1 day so 86400. SSLStaplingFakeTryLater should also be defaulted to off. Since chrome and firefox both operate by default in a soft fail state then the default options should be tuned for a must-staple scenario as that is now the only time when OCSP failures actually mean anything. There is a very old 2014 bug filed which sadly had no developer response, on this subject but not the same specific request. That bug is here https://bz.apache.org/bugzilla/show_bug.cgi?id=57121 Finally apache needs a way to refresh the staple cache before expiry so it is always in a state where the cache is never expired. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org