https://bz.apache.org/bugzilla/show_bug.cgi?id=61818
--- Comment #7 from Archie Cobbs <[email protected]> --- We had a similar problem where nobody could login just now. The root cause was that DNS lookups for the OCSP responder were failing. Our configuration: SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off The errors that were logged: [ssl:error] [pid 103363] (EAI 2)Name or service not known: [client X.X.X.X:X] AH01972: could not resolve address of OCSP responder r3.o.lencr.org [ssl:error] [pid 103363] AH01941: stapling_renew_response: responder error Here's my main issue with this behavior: We have explicitly configured "SSLStaplingResponderTimeout 5", but the connections were hanging for much longer than that. Presumably this is because "SSLStaplingResponderTimeout" only applies to the TCP connection, not the DNS lookup that precedes it. But this means "SSLStaplingResponderTimeout" is not really useful because it only gives a partial guarantee that the time spent futzing with OCSP will be limited. Instead, "SSLStaplingResponderTimeout" should limit the time spent on the ENTIRE OCSP operation including DNS lookup, TCP connection, etc. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
