[dlkmp]

Does the caching reliably work in common webservers by now? I remember having read a couple years ago that Apache would simply clear its cache if the connection to the ocsp provider breaks (or did something similar unhelpful, resulting in an error to the enduser).

[LinuxBender]

It's hit-and-miss per LB/server and I have not seen this become a priority since it's not a super popular feature. Here [1] [2] are a couple articles on the topic. My experience has been with HAproxy and F5 load balancers. HAProxy uses an out-of-band process to lay down a .ocsp file and load it via the API. This in effect acts like a cache assuming the script creating the .ocsp file has error handing to avoid clobbering the file if the upstream OCSP endpoint can not be reached.

F5 load balancers will cache the response in memory. I have not tested Apache with OCSP stapling/caching recently so I can only assume based on feedback from others here that they have not improved it. I would expect nginx to improve now that they are owned by F5, maybe, eventually.

I am a fan of OCSP stapling/caching for the privacy aspect. No need for browsers to leak to the OCSP end-point what domain you are visiting. There are enough nosy people sniffing our traffic already.

[1] - https://www.keycdn.com/support/ocsp-stapling

[2] - https://blog.cloudflare.com/high-reliability-ocsp-stapling/

[hannob]

Very likely you read my blogpost. See the update at the top: https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-St...

[mholt]

Caddy does OCSP stapling + caching reliably (and has for years).

It will even auto-renew your certificate if it gets an OCSP response of "Revoked".