Am 29.09.2015 um 17:31 schrieb Jeff Trawick:
On 09/29/2015 04:20 AM, Reindl Harald wrote:is that by intention?The default timeout before retrying an error seems to be 10 minutes (see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingerrorcachetimeout), which is pretty excessive. As far as you recall about the time period before you gave up, was that within 10 minutes?
i just restarted the servers and disabled stapling since all our servcies where unreachable (before i write the second mail 5 different hosts with several sites where affected)
in fact the error caching does more harm than benefits - IHMO a better "could not reach OCSP server or received a error from it" caching would be just temporary disable stapling for 10 minutes instead lead in connections fail even from clients which have disabled OCSP completly
firefox refused to open our adminpanel with the error below until i restarted httpd - i suggest the server should retry SSLUseStapling when a new client connects and it has failed for whatever reason SSLUseStapling On An error occurred during a connection to *******:8443. The OCSP server suggests trying again later. (Error code: sec_error_ocsp_try_server_later)
signature.asc
Description: OpenPGP digital signature
