https://bz.apache.org/bugzilla/show_bug.cgi?id=62031
Bug ID: 62031 Summary: document better ocsp stapling values Product: Apache httpd-2 Version: 2.5-HEAD Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Documentation Assignee: docs@httpd.apache.org Reporter: bjo...@j3e.de Target Milestone: --- https://wiki.apache.org/httpd/OCSPStapling does not mention how to improve the ocsp stapling settings for better scalability. I suggest the following settings: # we don't want to send out errors of the OCSP server to the clients: SSLStaplingReturnResponderErrors off # the default wait time of 10s is a bit too long, shorten it to 4s, which is still a lot: SSLStaplingResponderTimeout 4 # high cachetime to minimize cases like in # https://issues.apache.org/bugzilla/show_bug.cgi?id=57121 # there is really no need to refresh the OCSP response more often than every 48 hours. We'll risk bad replies from servers if we query them every hour. And that really causes trouble quite often then: SSLStaplingStandardCacheTimeout 172800 # and in case of ocsp server errors, retry fast after 60s and not keep the bad response for at least 600s: SSLStaplingErrorCacheTimeout 60 The default values of those parameters cause so many server errors that it's not advisable to enable OCSP stapling without modifying them as pointed out above. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org