Hey there,
since the “letsencryot.org” DNS Troubles last week also cought our Web-Servers offhand I’m going to try to optimize OCSP configuration on our Apache Servers.
Currently I got this config:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingStandardCacheTimeout 259200
SSLStaplingErrorCacheTimeout 1200
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/run/httpd/ssl_stapling(512000)
Already googled / browsed the Boards - but didn’t really find any good suggestions on how to configure Apache Stapling to be more robust …
Is there any possibility to tell Apache to re-fetch/validate Response 1 day before the cache is going to expire?
Or are there any other suggestions on how to configure robust OCSP Stapling in Apache?
Maybe @icing would have thoughts on this? (Apologies if you don’t, I’m guessing based on your mod_md experience you might or could direct the question to a subject matter expert)
As written in the blog by @hannob, the OCSP implementation in Apache is not its strongest point. I agree with his recommendations. Beside those, I would recommend using a persistent cache, so stapling responses survive reloads. Something like:
Unfortunately Apache nukes the OCSP stapling cache upon restarts even when using on-disk dbm cache files.
I attempted to tackle the issue of OCSP response caching, prefetching and dbm preservance in Certbot Apache plugin but it turns out that the underlying dbm engine flavor gets decided at compile time, and I’m seeing a lot of variance in precompiled Apache packages of different Linux distributions. In some distros the selected dbm format is also one that isn’t supported by Python dbm module. I’m still investigating if there’s a way to make this work, but it doesn’t look too good.
