https://bz.apache.org/bugzilla/show_bug.cgi?id=62031
Bug ID: 62031
Summary: document better ocsp stapling values
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: docs@httpd.apache.org
Reporter: bjo...@j3e.de
Target Milestone: ---
https://wiki.apache.org/httpd/OCSPStapling
does not mention how to improve the ocsp stapling settings for better
scalability. I suggest the following settings:
# we don't want to send out errors of the OCSP server to the clients:
SSLStaplingReturnResponderErrors off
# the default wait time of 10s is a bit too long, shorten it to 4s, which is
still a lot:
SSLStaplingResponderTimeout 4
# high cachetime to minimize cases like in
# https://issues.apache.org/bugzilla/show_bug.cgi?id=57121
# there is really no need to refresh the OCSP response more often than every 48
hours. We'll risk bad replies from servers if we query them every hour. And
that really causes trouble quite often then:
SSLStaplingStandardCacheTimeout 172800
# and in case of ocsp server errors, retry fast after 60s and not keep the bad
response for at least 600s:
SSLStaplingErrorCacheTimeout 60
The default values of those parameters cause so many server errors that it's
not advisable to enable OCSP stapling without modifying them as pointed out
above.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
