Hi Stefan, On 18.01.2018 10:00, Stefan Eissing wrote: > Yes, this is definitely an area where the server can and should be > improved. Marat already provided the link to the article discussing > this last year and the situation is unchanged, unfortunately. Not for > lack of recognition of the problem, but more a lack of time and > effort, I think. I'm thinking about coding an OCSP proxy that would cache responses. It could be used for other webservers as well that do not have desirable caching behavior. The forced redirect option of Apache allows for this to be integrated easily. Must give it a long and hard think about how much this really annoys me and if it's worth the effort (especially considering it would become kindof obsolete once Apache fixes this for good). > What I do on my servers (beside what you already wrote) is > > SSLStaplingCache dbm:ocsp-stapling > > use a permanent cache, so a restart of the server does not require > it to refetch all responses. Good catch. I think I'll do this as well. Cheers, Joe --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx