-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement OCSP stapling for Apache #930
Comments
@sagi has expressed some interest in working on this |
Yes. I'm currently working on an HSTS header enhancement. OCSP stapling is next. |
FYI: I think we eventually want OCSP Stapling (but not Must Staple) to be enabled by default when autoconfiguring Apache. However, for the first release that includes this code, we should probably require a flag to request the enhancement. That way people can test and find bugs before we make it the default. Also, one tricky thing that @SwartzCr noticed: I believe OCSP Stapling in Apache depends on the socache_shmcb module, which was introduced in 2.4. In order to be backwards compatible with 2.2 you'll have to check the version you're working with. It's possible that OCSP Stapling works in 2.2 if you simple omit the shmcb parts. You may also be able to fudge it for a first pass by only enabling OCSP Stapling for 2.4+. |
@sagi, were you able to make progress on this over the weekend? |
Not much. I mostly read RFC 7633 and messed with its Apache config. |
If it helps, I have some example configs at https://github.com/jsha/ocsp-stapling-examples. |
@jsha, @pde: I tend to agree with Adam Langely's take on OCSP Stapling - it must be entwined with the |
From reading that post, I don't see an assertion that Stapling should be disabled unless Must Staple is present in the certificate. The point I see in that post is that individuals should not enable revocation checking in their Chrome browser. Note that Firefox and MSIE still check OCSP, even though Chrome doesn't. For users of those browsers, non-stapled OCSP is both a performance and privacy loss. For Let's Encrypt, non-stapled OCSP increases the number of requests we have to serve. Those three reasons are why I think we should make Stapling the default. Cloudflare agrees. |
No, that is not what I meant. Got it. Thanks. |
It may help to provide a tested "incantation". -----begin---- I believe if you add this to the file /etc/letsencrypt/options-ssl-apache.conf then that's all you need to do to close this bug. To test, you can use SSLLabs.com and search for "OCSP stapling" in the protocol details. |
This was resolved in #2723. |
OCSP Stapling is important for end-user privacy, end-user performance, and traffic offload for Let's Encrypt. We should implement it in Apache. Here's an example config: https://github.com/jsha/ocsp-stapling-examples.
The text was updated successfully, but these errors were encountered: