https://bz.apache.org/bugzilla/show_bug.cgi?id=61531
Bug ID: 61531
Summary: SSLStaplingReturnResponderErrors should return last
cached response if is an error upstream
Product: Apache httpd-2
Version: 2.4.27
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: chrysa...@chrysalisnet.org
Target Milestone: ---
Given the development of must-staple, apache now needs to implement a sane
behaviour.
The SSLStaplingReturnResponderErrors setting when set to off will ommit any
kind of response which will cause a must-staple enabled domain to generate an
error, instead apache should return the last known non error response whether
that is a revoked certificate or a non revoked certificate allowing to avoid
downtimes related to temporary short term ocsp server outages.
In addition the default setting for SSLStaplingStandardCacheTimeout should be
much higher, I suggest 1 day so 86400.
SSLStaplingFakeTryLater should also be defaulted to off.
Since chrome and firefox both operate by default in a soft fail state then the
default options should be tuned for a must-staple scenario as that is now the
only time when OCSP failures actually mean anything.
There is a very old 2014 bug filed which sadly had no developer response, on
this subject but not the same specific request.
That bug is here https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
Finally apache needs a way to refresh the staple cache before expiry so it is
always in a state where the cache is never expired.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
