[
https://issues.apache.org/jira/browse/TS-2367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Feifei Cai updated TS-2367:
---------------------------
Attachment: TS-2367.diff
proxy.config.ssl.stapling.enabled: Enable stapling of OCSP responses. Disabled
by default.
proxy.config.ssl.stapling.cache_timeout: Number of seconds before an OCSP
response expires in the stapling cache. 3600s (1 hour) by default.
proxy.config.ssl.stapling.request_timeout: Timeout for queries to OCSP
responders. 10s by default.
proxy.config.ssl.stapling.update_period: Update period for stapling caches. 60s
(1 min) by default.
When OCSP Stapling is enabled, ATS spawns a new thread to send OCSP request and
get OCSP response. The response will be cached for 3600s(1 hour) in server. For
details, the request has a timeout when try to connect to CA's OCSP responder,
and it's 10s by default. ATS keeps checking for cached response with an update
period.
In the SSL module, ATS does not send OCSP request in openssl's callback
functions. It just try to get response from stapling caches. In this way, the
connection won't hang ATS event system.
> Add OCSP (Online Certificate Status Protocol) Stapling Support
> ---------------------------------------------------------------
>
> Key: TS-2367
> URL: https://issues.apache.org/jira/browse/TS-2367
> Project: Traffic Server
> Issue Type: New Feature
> Components: HTTP, SSL
> Reporter: Bryan Call
> Assignee: Bryan Call
> Fix For: 5.0.0
>
> Attachments: TS-2367.diff, TS-2367.diff
>
>
> RFC:
> http://tools.ietf.org/html/rfc6066
> Overview:
> https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
> http://en.wikipedia.org/wiki/OCSP_stapling
> There is support for this added into openssl 0.9.8g.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
