AnsweredAssumed Answered

ocsp stapling test needs enhancement

Question asked by Bee Jay on May 23, 2014
Latest reply on May 26, 2014 by Ivan Ristić



i think the oscp stapling test need some enhancement. I set up an Apache 2.4 recently with ocsp stapling enabled but I was not able to access the site with firefox 29 because firefox gave a hard failure cause the server replied a "try later" ocsp status. The reason for the "try later" was that Apache was not able to access the oscp server cause it would need to use a proxy for that (which is not supported currently but an iptables redirect rule and a local tinyproxy can make it work in such a case). Chrome for example does not hard fail on a oscp "try later" status so this configuration problem might not be so obvious for some people and a big warning in ssltest would be very apreviated. In addition to that also some details about the time when the oscp data was generated and when it will expire would be nice to have.