[DEFER] Add support OCSP Stapling on Apache 2.4#18
[DEFER] Add support OCSP Stapling on Apache 2.4#18mscherer wants to merge 3 commits intoOSAS:masterfrom
Conversation
While this is likely just extra security, this should improve performance in case clients do OCSP verification.
|
I haven't test yet however (need a more recent httpd), and I also need to read a bit more regarding OCSP stapling. But it should work fine on EL7, in the sense it wouldn't break anything. |
|
I have some difficulties understanding the security implications of SSLStaplingReturnResponderErrors set to off. It seems when the OSCP server request fail for any reason, the choice is between having all browsers fail to see the site or all browser think that's all fine. IIUC there is no fallback which would tell the browser to make its own attempts. I guess if stappling was off, the browser would have the same error, but then I'm not sure of the behavior. I just would like to be sure that cutting the webserver away from the OSCP server would not imply reducing OSCP security to zero. It seems all exemples I can see on the net set it to off, but there is not much explanation though. Aside from this concern, but I'm really no expert on it so it may be irrelevant, this feature is fine to me. |
|
Any news on this one? |
|
I would defer for now until I get more understanding on the consequence. As It requires 2.4, it will likely not be exercised much at the moment. |
duck-rh
changed the title
2 participants
While this is likely just extra security, this should improve
performance in case clients do OCSP verification.