https://bz.apache.org/bugzilla/show_bug.cgi?id=61818
Michael Scholl <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |michael.scholl@core-network | |s.de --- Comment #5 from Michael Scholl <[email protected]> --- Created attachment 37492 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37492&action=edit Report errors on unreachable ocsp responder addresses We had this issue yesterday and it took us long till we figured out stapling is the problem. I attached a patch that helps identifying connection problems to ocsp responder addresses more easily. The problem is that the Workers have no timeout how long they wait in queue to make an OCSP request. There should be some SSLStaplingQueueTimeout option. Maybe it would also be good if the server remembers responder addresses that had been unreachable and ignores these addresses for some time. This would speed up the ocsp requests on problems. Our current solution is to set the following options: SSLStaplingResponderTimeout 1 SSLStaplingStandardCacheTimeout 86400 This works for us but for servers with thousands of certificates this could still be a problem. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
