[
https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14302982#comment-14302982
]
Feifei Cai edited comment on TS-3362 at 2/3/15 9:13 AM:
--------------------------------------------------------
Oh, yes, you're right. The fetch and check of OCSP response is an independent
thread, not in ssl handshake. I should report it in some new metrics, e.g.
{{proxy.process.ssl.ocsp_revoked_certstatus}},
{{proxy.process.ssl.ocsp_unknown_certstatus}}...
And, I'll extend {{ssl}} debug tag to {{ssl_ocsp}}. Will attach a new patch as
soon.
was (Author: ffcai):
Oh, yes, you're right. The fetch and check of OCSP response is an independent
thread, not in ssl handshake. I should report it in some new metrics, e.g.
proxy.process.ssl.ocsp_revoked_certstatus,
proxy.process.ssl.ocsp_unknown_certstatus...
And, I'll extend ssl debug tag to ssl_ocsp. Will attach a new patch as soon.
> Do not staple negative OCSP response
> ------------------------------------
>
> Key: TS-3362
> URL: https://issues.apache.org/jira/browse/TS-3362
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Feifei Cai
> Attachments: TS-3362.diff
>
>
> When get OCSP response, we check it before cache/staple it. If it's negative,
> I think we'd better discard it instead of sending back to user agent. This
> would not increase security risk: User agent would query CA for OCSP response
> if ATS does not staple it with certificate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
