On 03/07/15 11:13, Plüm, Rüdiger, Vodafone Group wrote:
<snip>
Thanks for the detailed explanation. So yes OCSP stapling is really beneficial
if it is possible for the server admin to set it up. But it likely requires
additional
configuration steps outside of httpd to make the OCSP responder reachable (like
firewall clearances)
and leads to otherwise strange "slow" responses if this is not prepared.
Another obstacle with the current stapling code is that the connection to the
OCSP responder of the
CA needs to happen directly and cannot be done via a proxy.
Hence I agree with Kaspar that it should be off by default.
Given the current stapling code, that's fair enough.
Is it feasible to engineer around these issues so that stapling could be
enabled by default in some future httpd release? If not, what's the
showstopper?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
