Bug 62031 - document better ocsp stapling values
Summary: document better ocsp stapling values
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-22 15:23 UTC by Björn Jacke
Modified: 2018-01-22 15:23 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2018-01-22 15:23:31 UTC
https://wiki.apache.org/httpd/OCSPStapling

does not mention how to improve the ocsp stapling settings for better scalability. I suggest the following settings:

# we don't want to send out errors of the OCSP server to the clients:
SSLStaplingReturnResponderErrors off

# the default wait time of 10s is a bit too long, shorten it to 4s, which is still a lot: 
SSLStaplingResponderTimeout 4

# high cachetime to minimize cases like in 
# https://issues.apache.org/bugzilla/show_bug.cgi?id=57121
# there is really no need to refresh the OCSP response more often than every 48 hours. We'll risk bad replies from servers if we query them every hour. And that really causes trouble quite often then: 
SSLStaplingStandardCacheTimeout 172800

# and in case of ocsp server errors, retry fast after 60s and not keep the bad response for at least 600s:
SSLStaplingErrorCacheTimeout 60

The default values of those parameters cause so many server errors that it's not advisable to enable OCSP stapling without modifying them as pointed out above.