Apache - robust OCSP stapling config


#1

Hey there,
since the “letsencryot.orgDNS Troubles last week also cought our Web-Servers offhand I’m going to try to optimize OCSP configuration on our Apache Servers.

Currently I got this config:

SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingStandardCacheTimeout 259200
SSLStaplingErrorCacheTimeout 1200
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/run/httpd/ssl_stapling(512000)

Already googled / browsed the Boards - but didn’t really find any good suggestions on how to configure Apache Stapling to be more robust …
Is there any possibility to tell Apache to re-fetch/validate Response 1 day before the cache is going to expire?
Or are there any other suggestions on how to configure robust OCSP Stapling in Apache?

Thank you, bye from Austria
Andreas


#2

noone? nothing? :zipper_mouth_face:


#3

Maybe @icing would have thoughts on this? (Apologies if you don’t, I’m guessing based on your mod_md experience you might or could direct the question to a subject matter expert)


#4

I guess you already saw @hannob’s blog post (from June 27, 2018):

https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

There’s currently no way to configure Apache to handle OCSP stapling in a reasonable way


#5

As written in the blog by @hannob, the OCSP implementation in Apache is not its strongest point. I agree with his recommendations. Beside those, I would recommend using a persistent cache, so stapling responses survive reloads. Something like:

SSLStaplingCache        dbm:ocsp-stapling

#6

Unfortunately Apache nukes the OCSP stapling cache upon restarts even when using on-disk dbm cache files.

I attempted to tackle the issue of OCSP response caching, prefetching and dbm preservance in Certbot Apache plugin but it turns out that the underlying dbm engine flavor gets decided at compile time, and I’m seeing a lot of variance in precompiled Apache packages of different Linux distributions. In some distros the selected dbm format is also one that isn’t supported by Python dbm module. I’m still investigating if there’s a way to make this work, but it doesn’t look too good.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.