I am looking for feedback and harsh critics from this excellent group of people here. If you see mistakes or have ideas on improving, I'd appreciate it.
Cheers, Stefan The new OCSP stapling implementation in mod_md will: - be for server certificates in virtual hosts - co-exist with existing mod_ssl ocsp stapling - be watchdog driven, file system persisted Features of mod_ssl stapling I do not plan to implement: - SSLStaplingFakeTryLater: either we have a response or not. if not, nothing is set in the response. On must-staple, clients will fail. - SSLStaplingForceURL: think I do not need it for the test setup. - SSLStaplingResponseMaxAge: there will be a "renew window" instead. So watchdog will get a new response x amount of time before the existing expires - SSLStaplingResponseTimeSkew: I see no need. - SSLStaplingReturnResponderErrors: error from OCSP responders are detected by the watchdog and logged. Clients only see valid stapling or no stapling. Maybe I am missing a use case here. If you are aware of one (e.g. need for time skew), please let me know. General interworking mod_ssl <-> mod_md: 2 new optional functions: apr_status_t md_stapling_init_cert(server_rec *s, X509 *cert, ...) apr_status_t md_stapling_get_response(md_oscp_response **prsp, server_rec *s, X509 *cert, conn_rec *c...) Via "MDStapling on|off", the admin can control the new stapling for all or just a particular MD. Via "MDStapling all", the new stapling would apply to all certificates, even those not covered by an MD. md_stapling_init_cert(...) will return: APR_SUCCESS, when mod_md takes over stapling of this server_rec APR_ENOTIMPL, when it does not and mod_ssl shall continue as it does now otherwise, a real error happened. md_stapling_get_response(...) will return: APR_SUCCESS with a valid response APR_ENOENT if no valid response is available APR_ENOTIMPL if mod_md does not provide stapling for this server/cert otherwise, a real error happened.
