https://bz.apache.org/bugzilla/show_bug.cgi?id=61818
--- Comment #7 from Archie Cobbs <archie@dellroad.org> ---
We had a similar problem where nobody could login just now. The root cause was
that DNS lookups for the OCSP responder were failing.
Our configuration:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
The errors that were logged:
[ssl:error] [pid 103363] (EAI 2)Name or service not known: [client
X.X.X.X:X] AH01972: could not resolve address of OCSP responder r3.o.lencr.org
[ssl:error] [pid 103363] AH01941: stapling_renew_response: responder error
Here's my main issue with this behavior: We have explicitly configured
"SSLStaplingResponderTimeout 5", but the connections were hanging for much
longer than that. Presumably this is because "SSLStaplingResponderTimeout" only
applies to the TCP connection, not the DNS lookup that precedes it.
But this means "SSLStaplingResponderTimeout" is not really useful because it
only gives a partial guarantee that the time spent futzing with OCSP will be
limited.
Instead, "SSLStaplingResponderTimeout" should limit the time spent on the
ENTIRE OCSP operation including DNS lookup, TCP connection, etc.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
--- Comment #7 from Archie Cobbs <archie@dellroad.org> ---
We had a similar problem where nobody could login just now. The root cause was
that DNS lookups for the OCSP responder were failing.
Our configuration:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
The errors that were logged:
[ssl:error] [pid 103363] (EAI 2)Name or service not known: [client
X.X.X.X:X] AH01972: could not resolve address of OCSP responder r3.o.lencr.org
[ssl:error] [pid 103363] AH01941: stapling_renew_response: responder error
Here's my main issue with this behavior: We have explicitly configured
"SSLStaplingResponderTimeout 5", but the connections were hanging for much
longer than that. Presumably this is because "SSLStaplingResponderTimeout" only
applies to the TCP connection, not the DNS lookup that precedes it.
But this means "SSLStaplingResponderTimeout" is not really useful because it
only gives a partial guarantee that the time spent futzing with OCSP will be
limited.
Instead, "SSLStaplingResponderTimeout" should limit the time spent on the
ENTIRE OCSP operation including DNS lookup, TCP connection, etc.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org