[PATCH] OCSP stapling: better handling of successful OCSP responses.
Maxim Dounin
mdounin at mdounin.ru
Mon May 20 10:56:43 UTC 2013
Hello!
On Fri, May 17, 2013 at 04:32:12PM -0700, Piotr Sikora wrote:
> Hey Maxim,
>
> > Presenting a certificate and a non-good certificate status to a
> > user looks like "bees against honey" for me. I would rather not.
>
> While I agree that it looks kind of iffy, by not caching OCSP
> responses with "revoked" or "unknown" certificate status, we're
> loosing all of the OCSP stapling advantages (offloading CA's OCSP
> responders, improving user's privacy and perceived performance), while
> not changing anything for the user - he'll still receive exactly the
> same certificate status directly from CA's OCSP responder, just a few
> hundred milliseconds later.
Yes, but this only happens if client actually does an OCSP
request (and the user will query the same ocsp server, and
response will be the same).
>From site owner point of view - returning a non-good certificate
status reduces probability of a client being served, and thus
isn't a good idea. As this is exceptional situation - I don't
think that site owner will care much about few milliseconds delay
before a user sees a "bad certificate" browser's page. On the
other hand, percentage of users who won't see the page (and will
be able to work normally) usually matters.
I understand that from a caching provider point of view this might
look different though. You may consider adding a control for
this, e.g., it looks like Apache has something similar called
SSLStaplingReturnResponderErrors:
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslstaplingreturnrespondererrors
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list