Re: Correctly configuring OCSP Stapling cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, this is definitely an area where the server can and should be 
improved. Marat already provided the link to the article discussing
this last year and the situation is unchanged, unfortunately. Not for
lack of recognition of the problem, but more a lack of time and
effort, I think.

What I do on my servers (beside what you already wrote) is

	SSLStaplingCache        dbm:ocsp-stapling

use a permanent cache, so a restart of the server does not require
it to refetch all responses. 

-Stefan

> Am 17.01.2018 um 20:21 schrieb Johannes Bauer <dfnsonfsduifb@xxxxxx>:
> 
> Hi Apache users,
> 
> I've configured OCSP stapling and use certificates that use the
> OCSP-must-staple X.509 extension. I *must* use stapling. My CA
> LetsEncrypt has fairly long OCSP ticket lifetimes (7 days), but their
> OCSP responder can be flaky at times.
> 
> This means that I've now had outages a couple of times where a "retry
> later" response was cached by Apache, forwarded to clients, effectively
> grinding everything to a halt. After RTFMing a bit, I've modified my
> configuration so this cannot happen again:
> 
> SSLUseStapling on	
> SSLStaplingCache shmcb:/var/run/apache2/ssl_stapling(262144)
> 
> SSLStaplingErrorCacheTimeout 30
> SSLStaplingStandardCacheTimeout 8640000
> SSLStaplingReturnResponderErrors off
> 
> However, I'm not sure this is what I want. Here's describing the
> algorithm I actually want, in pseudocode:
> 
> cached_ticket = get_cache()
> if (cached_ticket.expired()) {
> 	remove_cache(cached_ticket)
> 	cached_ticket = null;
> }
> 
> try_for_new_ticket = !cached_ticket || (cached_ticket.age() > 86400)
> if (try_for_new_ticket) {
> 	new_ticket = ask_ocsp_responer()	
> 	if (new_ticket) {
> 		put_cache(new_ticket);
> 		cached_ticket = new_ticket;
> 	}
> }
> 
> return cached_ticket
> 
> 
> I.e., the following: Only ever do valid tickets end up in the cache.
> After a period that is *shorter* than the ticket lifetime (one day in my
> example), Apache tries to refresh the ticket. If a valid ticket is
> returned by the responder, that ticket replaces the currently cached one
> and is returned. If an invalid ticket ("try again" or timeout) is
> returned by the responder, the valid cached ticket is returned.
> 
> That way, any outage need to be be longer than 6 days for the outage to
> actually affect my clients.
> 
> I do not see how I can configure this in Apaches variables and the only
> other posting I have found regarding this topic is
> https://lists.gt.net/apache/users/437736 which received zero responses.
> 
> Can someone please clarify how to set up this properly so that a
> scenario is resulted as I describe it (i.e, try renewal already much
> before the ticket is expired)?
> 
> Thank you in advance,
> Johannes
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux