Bug#933129: apache2: OCSP stapling poorly handled, yielding trylater errors in the client
The upstream bugs to watch for:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
"ocsp stapling should not pass temporary server outages to clients"
https://bz.apache.org/bugzilla/show_bug.cgi?id=60182
"SSLStaplingFakeTryLater Deviates From Documented Behavior of Only
Being Effective When SSLStaplingReturnResponderErrors is On"
A possible workaround:
https://community.letsencrypt.org/t/robust-ocsp-stapling-with-apache-httpd/87896
And the mod_md workaround suggested in the upstream bugs is currently
not possible in Debian as this module is too old for OCSP stapling:
https://serverfault.com/questions/1007247/apache-httpd-how-to-enable-ocsp-stapling-with-mod-md
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: