On 29.08.2015 17:56, olli hauer wrote: > On 2015-07-03 12:13, Plüm, Rüdiger, Vodafone Group wrote: >> Thanks for the detailed explanation. So yes OCSP stapling is really >> beneficial if it is possible for the server admin to set it up. But >> it likely requires additional configuration steps outside of httpd >> to make the OCSP responder reachable (like firewall clearances) and >> leads to otherwise strange "slow" responses if this is not >> prepared. Another obstacle with the current stapling code is that >> the connection to the OCSP responder of the CA needs to happen >> directly and cannot be done via a proxy. Hence I agree with Kaspar >> that it should be off by default. >> > > Not tested, but looking at the mod_ssl doc it seems > SSLStaplingForceURL can be used to proxy requests to the OCSP > responder(s) > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl > > In case SSLStaplingForceURL can be used to force OCSP requests via > proxy it would be nice to add something like the following patch > before enabling OCSP stapling as default.
It can't be used like this, as pointed out in [1]. Its main use is for certs which do not include an OCSP URI at all, so configuring SSLStaplingForceURL at the global level doesn't make much sense - you would have to run a "transparent OCSP proxy" at that URL (mod_ssl will just send plain OCSP requests to this address). Kaspar [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201411.mbox/%3C5454A1FE.6060204%40velox.ch%3E