Bug 61531

Summary: SSLStaplingReturnResponderErrors should return last cached response if is an error upstream
Product: Apache httpd-2 Reporter: Chris Collins <chrysalis>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.27   
Target Milestone: ---   
Hardware: PC   
OS: Windows NT   

Description Chris Collins 2017-09-17 23:32:11 UTC 
Given the development of must-staple, apache now needs to implement a sane behaviour.

The SSLStaplingReturnResponderErrors setting when set to off will ommit any kind of response which will cause a must-staple enabled domain to generate an error, instead apache should return the last known non error response whether that is a revoked certificate or a non revoked certificate allowing to avoid downtimes related to temporary short term ocsp server outages.

In addition the default setting for SSLStaplingStandardCacheTimeout should be much higher, I suggest 1 day so 86400.

SSLStaplingFakeTryLater should also be defaulted to off.

Since chrome and firefox both operate by default in a soft fail state then the default options should be tuned for a must-staple scenario as that is now the only time when OCSP failures actually mean anything.

There is a very old 2014 bug filed which sadly had no developer response, on this subject but not the same specific request.

That bug is here  https://bz.apache.org/bugzilla/show_bug.cgi?id=57121

Finally apache needs a way to refresh the staple cache before expiry so it is always in a state where the cache is never expired.