Bug 56843

Summary: Support different OCSP stapling max ages
Product: Apache httpd-2 Reporter: Sven Strickroth <email>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.4.10   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Sven Strickroth 2014-08-12 19:42:38 UTC
Right now, Apache httpd-2.4 only supports one SSLStaplingResponseMaxAge parameter.

For some CAs (like StartSSL) you can obtain a certificate, however, the validity of the certificate is not propagated to the CAs OCSP server immediately (takes up to twenty minues). This causes that after setting up the certificate in httpd and loading the site too quickly a "ocsp unknown status" response is cached for the period of SSLStaplingResponseMaxAge (which is 2 days by default). Within this time span no access to the site is possible with OCSP stapling aware clients (restarting httpd doesn't help since the response is cached - the only way to fix this is to set SSLStaplingResponseMaxAge to a very low value, reload httpd, reset SSLStaplingResponseMaxAge to the old/default value and reload again).

There should be a more elegant way to fix this - e.g. by allowing a much shorter maximum caching age for "unknown status" responses.