[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#933129: apache2: OCSP stapling poorly handled, yielding trylater errors in the client

The upstream bugs to watch for:

  https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
  "ocsp stapling should not pass temporary server outages to clients"

  https://bz.apache.org/bugzilla/show_bug.cgi?id=60182
  "SSLStaplingFakeTryLater Deviates From Documented Behavior of Only
  Being Effective When SSLStaplingReturnResponderErrors is On"

A possible workaround:

  https://community.letsencrypt.org/t/robust-ocsp-stapling-with-apache-httpd/87896

And the mod_md workaround suggested in the upstream bugs is currently
not possible in Debian as this module is too old for OCSP stapling:

  https://serverfault.com/questions/1007247/apache-httpd-how-to-enable-ocsp-stapling-with-mod-md

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: