Re: SSLUseStapling: ssl handshake fails until httpd restart

Thu, 01 Oct 2015 07:32:52 -0700 


Am 01.10.2015 um 16:29 schrieb Plüm, Rüdiger, Vodafone Group:




-----Ursprüngliche Nachricht-----
Von: Reindl Harald [mailto:[email protected]]
Gesendet: Donnerstag, 1. Oktober 2015 15:18
An: [email protected]
Betreff: Re: SSLUseStapling: ssl handshake fails until httpd restart



Am 01.10.2015 um 15:08 schrieb Reindl Harald:

Am 01.10.2015 um 14:53 schrieb Plüm, Rüdiger, Vodafone Group:

not really, i had the error message just now again in FF, the

difference

was that now a "try again" loaded the page but with
"SSLStaplingReturnResponderErrors" i would expect it invisible to
clients in general - GoDaddy seems to have massive problems with

their

responders the last days and the defaults with stapling enabled make
them to a perfect DOS target

[Thu Oct 01 13:33:01.179365 2015] [ssl:error] [pid 19312] [client
10.0.0.99:37860] AH01980: bad response from OCSP server: (none)
[Thu Oct 01 13:33:01.179393 2015] [ssl:error] [pid 19312] AH01941:
stapling_renew_response: responder error

SSLStaplingCache shmcb:/var/cache/mod_ssl/ocsp_cache(1048576)
SSLStaplingStandardCacheTimeout 86400
SSLStaplingErrorCacheTimeout 300
SSLStaplingReturnResponderErrors Off


What happens if you set

SSLStaplingFakeTryLater off

in addition?


i added that now and will have a look over the serverlogs, it's not
happening all the time but very often and so if the logs are clear
within 24 hours the problem is likely solved


looks not that good - "Connection reset by peer" indicates a failed
client request, the other lines could be just internal

[Thu Oct 01 15:15:01.495986 2015] [ssl:error] [pid 17468]
(104)Connection reset by peer: [client 81.223.20.5:55156] AH01977:
failed reading line from OCSP server
[Thu Oct 01 15:15:01.496037 2015] [ssl:error] [pid 17468] [client
81.223.20.5:55156] AH01980: bad response from OCSP server: (none)
[Thu Oct 01 15:15:01.496057 2015] [ssl:error] [pid 17468] AH01941:
stapling_renew_response: responder error


The question is: What happens on Firefox side. Of course it still tries to get 
to the OCSP server, but it should not cause an error on Firefox side if this 
does not work.



no, it does not because "security.OCSP.enabled = 0" and i saw at least 
two requests to different servers failing with my Firefox with the 
responder error from the webserver





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to