OCSP stapling rate limits by large providers


#1

Hello,
do you have any rate limits on OCSP requests done from one IP by large providers?

Thank you


#2

I obviously do not speak on behave of Let’s Encrypt, but as far as I know, OCSP replies are served through Akamais CDN, so I’m guessing it doesn’t really matter how much requests you’re doing, as long as you’re not making that much requests that would be categorised as DoS-ing a CDN :stuck_out_tongue:


#3

Hi @ondrej

Have a review of this article: OCSP with LetsEncrypt Used to Work But Now Doesn't

It provides some good insights. Essentially I would plan to space out these requests as they may get queued and not processed

You should also try a retry strategy.

Andrei


#4

@ahaw021: You should not draw the conclusion from that article that there is a queuing or rate limiting system in place for OCSP requests. As far as Let’s Encrypt is concerned, there is no such limit.

We do use Akamai in the middle, and they try to mitigate some attack vectors. I’m not aware of any rate limiting that they do, but I’ll check into it.

@ondrej, the short answer is to go ahead and request OCSP as much as you want. Because the responses are highly cacheable it is very unlikely to be a burden on Let’s Encrypt. If you run into any problems, please don’t hesitate to update here and we’ll try to figure them out.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.