Good advice, thanks for sharing! People interested in this may also be interested in reading Let's Encrypt's 2017 postmortem related to the same issue: https://community.letsencrypt.org/t/may-19-2017-ocsp-and-issuance-outage-postmortem/34922. Another interesting thing: concatenation happens without regard to whether the OCSP URL in a certificate has a trailing slash. If you issue certificates where the OCSP URL ends in a trailing slash (rare, I think), you'll find that all of your OCSP GET requests start with a doubled slash (//). Also, it's worth being cautious about deploying changes that will cause large numbers of cache entries to be invalidated.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4QmJ4_ZEOOq%3DPgLv45NLD1afcqWeKd0M8PR%2B%3D%3DdShh%2BbZA%40mail.gmail.com.
