On Nov 25, 2015, at 9:40 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Nov 25, 2015 at 02:21:16PM +0000, Scott Armitage wrote:
I might be doing something wrong but I can’t seem to find the cache_ocsp module anywhere which is called in the tls-cache server:
I thought the whole point of OCSP was that it was supposed to be a lightweight and quickly updated alternative to CRLs, and therefore caching it doesn't make sense from a security point of view?
No, it does. The OCSP standard provides a nextUpdate field which indicates the next time data will be available. nextUpdate The time at or before which newer information will be available about the status of the certificate. https://tools.ietf.org/html/rfc6960 (section 2.4). So you can use that as your Cache-TTL. You can also do smarter things if you own all the internal infrastructure like delete cache entries when the status of the certificate changes. This particular feature was added to support a very large commercial deployment of EAP-TLS (1.6M subscribers), which is operating with a single OCSP server instance (it fails open). I have no idea how good OpenSSL's internal OCSP client is, but I wouldn't be surprised if it closed the TCP connection after every request. -Arran