Bug 56843 - Support different OCSP stapling max ages
Summary: Support different OCSP stapling max ages
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.10
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-12 19:42 UTC by Sven Strickroth
Modified: 2014-08-12 19:42 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Strickroth 2014-08-12 19:42:38 UTC
Right now, Apache httpd-2.4 only supports one SSLStaplingResponseMaxAge parameter.

For some CAs (like StartSSL) you can obtain a certificate, however, the validity of the certificate is not propagated to the CAs OCSP server immediately (takes up to twenty minues). This causes that after setting up the certificate in httpd and loading the site too quickly a "ocsp unknown status" response is cached for the period of SSLStaplingResponseMaxAge (which is 2 days by default). Within this time span no access to the site is possible with OCSP stapling aware clients (restarting httpd doesn't help since the response is cached - the only way to fix this is to set SSLStaplingResponseMaxAge to a very low value, reload httpd, reset SSLStaplingResponseMaxAge to the old/default value and reload again).

There should be a more elegant way to fix this - e.g. by allowing a much shorter maximum caching age for "unknown status" responses.