[caops-wg] Issue with OCSP through HTTP caches
jluna at ac.upc.edu
jluna at ac.upc.edu
Fri Apr 21 03:22:19 CDT 2006
Dear all,
A couple of days ago we had an issue with the OCSP Responder and an OpenSSL
user, where the OCSP Request was being sent over HTTP but transversing a Squid
cache.
The problem was a combination of an OpenSSL's "known issue" (use the "host+path"
parameters instead of the "url" parameter when performing an OCSP Request) with
the Squid ability to cache certain types of HTTP requests (in this case
HTTP/1.0).
Even though RFC2560 mentions the following:
"The reliance of HTTP caching in some deployment scenarios may result in
unexpected results if intermediate servers are incorrectly configured or are
known to possess cache management faults. Implementors are advised to take the
reliability of HTTP cache mechanisms into account when deploying OCSP over
HTTP."
Maybe we should add to the "OCSP Requirements for Grids" document this note, so
potential deployments disable OCSP over HTTP caching in intermediate servers.
What do you think about it?
More info about the OpenSSL issue mentioned above can be found in the
openssl-users mailinglist under the folloing link:
http://marc.theaimsgroup.com/?l=openssl-users&m=111091034704961&w=2
Best regards,
Jesus & Oscar
More information about the caops-wg
mailing list