[
https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14302958#comment-14302958
]
Scott Beardsley commented on TS-3362:
-------------------------------------
Fei, it looks like you are re-using existing metrics. Would it make sense to
report these error conditions into new metrics instead of overloading the
existing user_agent_unknown_cert and user_agent_revoked_cert? These metric
names don't provide any hints that they may be related to OCSP.
Also, you had a different version which reported debug messages to the
"ssl_ocsp" tag instead of just "ssl". I found that useful for debugging just
ocsp related issues.
> Do not staple negative OCSP response
> ------------------------------------
>
> Key: TS-3362
> URL: https://issues.apache.org/jira/browse/TS-3362
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Feifei Cai
> Attachments: TS-3362.diff
>
>
> When get OCSP response, we check it before cache/staple it. If it's negative,
> I think we'd better discard it instead of sending back to user agent. This
> would not increase security risk: User agent would query CA for OCSP response
> if ATS does not staple it with certificate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
