[
https://issues.apache.org/jira/browse/TS-2367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Feifei Cai updated TS-2367:
---------------------------
Attachment: TS-2367.diff
Hi [~jamespeach], thanks for review!
I made the following changes according to your comments:
1. separate the ocsp stapling's code from iocore/net/SSLUtils.cc, into
iocore/net/P_OCSPStapling.h and iocore/net/OCSPStapling.cc
2. move struct certinfo into OCSPStapling.cc, since it's not needed in header
file
3. add the new settings' description in mgmt/RecordsConfig.cc
HAVE_OPENSSL_OCSP_STAPLING is defined when SSL_CTX_set_tlsext_status_cb is
defined in openssl library, in case an old version openssl is used.
MAX_STAPLING_DER is 10K, so each certificate will use ~10K size to store ocsp's
info. I think it's not too large for common use cases (in my test case, it's
about 2K). Do we need to take large amount of certificates into account?
> Add OCSP (Online Certificate Status Protocol) Stapling Support
> ---------------------------------------------------------------
>
> Key: TS-2367
> URL: https://issues.apache.org/jira/browse/TS-2367
> Project: Traffic Server
> Issue Type: New Feature
> Components: HTTP, SSL
> Reporter: Bryan Call
> Assignee: Bryan Call
> Labels: review
> Fix For: 5.1.0
>
> Attachments: TS-2367.diff, TS-2367.diff
>
>
> RFC:
> http://tools.ietf.org/html/rfc6066
> Overview:
> https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
> http://en.wikipedia.org/wiki/OCSP_stapling
> There is support for this added into openssl 0.9.8g.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
