|
|
|
|
|
|
by LinuxBender
1799 days ago
|
|
|
It's hit-and-miss per LB/server and I have not seen this become a priority since it's not a super popular feature. Here [1] [2] are a couple articles on the topic. My experience has been with HAproxy and F5 load balancers. HAProxy uses an out-of-band process to lay down a .ocsp file and load it via the API. This in effect acts like a cache assuming the script creating the .ocsp file has error handing to avoid clobbering the file if the upstream OCSP endpoint can not be reached. F5 load balancers will cache the response in memory. I have not tested Apache with OCSP stapling/caching recently so I can only assume based on feedback from others here that they have not improved it. I would expect nginx to improve now that they are owned by F5, maybe, eventually. I am a fan of OCSP stapling/caching for the privacy aspect. No need for browsers to leak to the OCSP end-point what domain you are visiting. There are enough nosy people sniffing our traffic already. [1] - https://www.keycdn.com/support/ocsp-stapling [2] - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ |
|
|