On 01.07.2015 14:27, Ben Laurie wrote:
> On 1 November 2014 at 09:05, Kaspar Brand <httpd-dev.2...@velox.ch> wrote:
>> The fundamental objection I have to enabling stapling by default in our
>> GA releases is that it would enable a "phoning home" feature (to the
>> CA's OCSP responders) as a side effect of configuring a certificate.
>> This is a setting I consider unacceptable for software published by the
>> Apache HTTP Server project - the default must be opt-in, not opt-out.
>
> I've just become aware of this objection and would like to understand
> the thinking behind it. Firstly, it seems strange to call this
> "phoning home", a term that _usually_ means connecting to the vendor
> of the s/w.
>
> But more importantly, what harm is there in a server connecting to the
> OCSP responders for the certificates it is serving? Why is this
> "unacceptable"?
It's unacceptable for at least two reasons: a) by default, an HTTP
server is supposed to process *incoming* requests, not make accidental
outgoing connections in addition (at least not unless it's explicitly
instructed to do so); b) there's no statement in our license with an
explicit caveat on such a side effect ("when relying on our default
settings, configuring a site with an SSL server certificate may result
in unsolicited outgoing HTTP requests" - and no, I do not want to see
our license amended by things like that).
I maintain my objection to uncommenting "#SSLUseStapling On" in our
default config in httpd-ssl.conf.in - and for the record, also to
changing code, be that in ssl_engine_config.c:modssl_ctx_init() or
elsewhere. Those keen on enabling it by default on behalf of the users
("because we know what is good for you") are free to lobby with the OS
vendors to have their package defaults changed.
Kaspar
