Re: Correctly configuring OCSP Stapling cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Stefan,

On 18.01.2018 10:00, Stefan Eissing wrote:
> Yes, this is definitely an area where the server can and should be 
> improved. Marat already provided the link to the article discussing
> this last year and the situation is unchanged, unfortunately. Not for
> lack of recognition of the problem, but more a lack of time and
> effort, I think.

I'm thinking about coding an OCSP proxy that would cache responses. It
could be used for other webservers as well that do not have desirable
caching behavior. The forced redirect option of Apache allows for this
to be integrated easily.

Must give it a long and hard think about how much this really annoys me
and if it's worth the effort (especially considering it would become
kindof obsolete once Apache fixes this for good).


> What I do on my servers (beside what you already wrote) is
> 
> 	SSLStaplingCache        dbm:ocsp-stapling
> 
> use a permanent cache, so a restart of the server does not require
> it to refetch all responses. 

Good catch. I think I'll do this as well.

Cheers,
Joe


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux