On 14-06-16 20:10, Lukas Tribus wrote: > Am 14.06.2016 um 18:31 schrieb Thijs Kinkhorst: >> If so, I'd like it to become possible, because I'd prefer to be able to >> set this entirely via the socket approach, and not having to special >> case the initial condition where the response was not present. > > But then you will have a race condition between the haproxy > start/reload/restart and when you actually insert the OCSP response in > haproxy; a time frame where haproxy won't serve ocsp responses to the > client and that seems like it would defeat the purpose of OCSP.
In that case it would indeed not staple, but that would not defeat the purpose OCSP itself per se, I think. I was looking for a way to not have to handle these two cases separately. But perhaps it's indeed not so big of a burden and it is more correct to not have this short window where nothing is being stapled. > If you use must-stable, then you are actually self-DoSing your self. Although we're not using that now, it surely is a fair point to keep in mind. Thanks for your helpful answers. Cheers, Thijs
