Bug 61531 - SSLStaplingReturnResponderErrors should return last cached response if is an error upstream
Summary: SSLStaplingReturnResponderErrors should return last cached response if is an ...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.27
Hardware: PC Windows NT
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-17 23:32 UTC by Chris Collins
Modified: 2017-09-17 23:32 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Collins 2017-09-17 23:32:11 UTC
Given the development of must-staple, apache now needs to implement a sane behaviour.

The SSLStaplingReturnResponderErrors setting when set to off will ommit any kind of response which will cause a must-staple enabled domain to generate an error, instead apache should return the last known non error response whether that is a revoked certificate or a non revoked certificate allowing to avoid downtimes related to temporary short term ocsp server outages.

In addition the default setting for SSLStaplingStandardCacheTimeout should be much higher, I suggest 1 day so 86400.

SSLStaplingFakeTryLater should also be defaulted to off.

Since chrome and firefox both operate by default in a soft fail state then the default options should be tuned for a must-staple scenario as that is now the only time when OCSP failures actually mean anything.

There is a very old 2014 bug filed which sadly had no developer response, on this subject but not the same specific request.

That bug is here  https://bz.apache.org/bugzilla/show_bug.cgi?id=57121

Finally apache needs a way to refresh the staple cache before expiry so it is always in a state where the cache is never expired.