Robust OCSP Stapling with Apache httpd

There are lots of posts here about OCSP stapling with Apache httpd (cf. Apache - robust OCSP stapling config, OCSP stapling advantages and disadvantages and What if Let's Encrypt goes down? - OCSP Stapling just to name a few), however, all posts are closed now. There also is a blog post describing the problematic stapling implementation of Apache httpd ( Main problems are that OCSP responses are fetched synchrinously and, thus, introduce a delay (especialyl if the OSCP responder goes down or is slow). This is especially a problem if OCSP must staple is used.

TLDR: Today I found a nice small project (much less dependencies compared to which is mainly targetting nginx and haproxy) which provides a workaround for these issues.

The project is It provides a small HTTP proxy which caches (in redis) and also automatically refreshes OCSP responses periodically. This way there is no cold-start problem of Apache httpd when the cache is still empty and also there are OCSP responses cached in case the OCSP server goes down or is a slow responder.

A working configuration is:

<IfModule mod_ssl.c>
SSLUseStapling on
SSLStaplingResponderTimeout 4
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLStaplingErrorCacheTimeout 60

# for ocsp_proxy,
SSLStaplingStandardCacheTimeout 3600

I hope this is helpful for you.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.