Description
When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate.
Attachments
Attachments
Issue Links
- relates to
-
TS-2367 Add OCSP (Online Certificate Status Protocol) Stapling Support
- Closed
Fei, it looks like you are re-using existing metrics. Would it make sense to report these error conditions into new metrics instead of overloading the existing user_agent_unknown_cert and user_agent_revoked_cert? These metric names don't provide any hints that they may be related to OCSP.
Also, you had a different version which reported debug messages to the "ssl_ocsp" tag instead of just "ssl". I found that useful for debugging just ocsp related issues.