> Am 18.01.2018 um 20:10 schrieb Johannes Bauer <dfnsonfsduifb@xxxxxx>: > > Hi Stefan, > > On 18.01.2018 10:00, Stefan Eissing wrote: >> Yes, this is definitely an area where the server can and should be >> improved. Marat already provided the link to the article discussing >> this last year and the situation is unchanged, unfortunately. Not for >> lack of recognition of the problem, but more a lack of time and >> effort, I think. > > I'm thinking about coding an OCSP proxy that would cache responses. It > could be used for other webservers as well that do not have desirable > caching behavior. The forced redirect option of Apache allows for this > to be integrated easily. If you want to write code, a good place in Apache nowadays is mod_md for such a thing: - it knows about all domains and looks at certs already (well, for the configured domains at least) - it actively scans domains for needs, e.g. could renew responses periodically instead of request triggered - it has file system persistence - it has a proxy-able HTTP client If I would not be busy otherwise... -Stefan > > Must give it a long and hard think about how much this really annoys me > and if it's worth the effort (especially considering it would become > kindof obsolete once Apache fixes this for good). > > >> What I do on my servers (beside what you already wrote) is >> >> SSLStaplingCache dbm:ocsp-stapling >> >> use a permanent cache, so a restart of the server does not require >> it to refetch all responses. > > Good catch. I think I'll do this as well. > > Cheers, > Joe > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|