Re: [PATCH v2] OCSP stapling for GnuTLS and NSS
Date: Thu, 15 Jan 2015 11:43:55 +0100
On gio, gen 15, 2015 at 09:40:52 +0100, Kamil Dudka wrote:
> On Thursday 15 January 2015 00:27:09 Daniel Stenberg wrote:
> > On Thu, 8 Jan 2015, Alessandro Ghedini wrote:
> > > The only difference from  is that I fixed the NSS patch to shorten the
> > > line longer than 79 chars like Kamil suggested. I also fixed some typos in
> > > the commit messages.
> > Another thought: should we consider setting this option enabled by default
> > if the backend supports it? What would be the risk with such a move?
> It could lead to unexpected connection failures. I would propose to keep it
> optional for now.
Yeah, the check, as it's currently implemented, fails if the option is enabled
but remote host doesn't send the OCSP response, and since the vast majority of
sites don't support OCSP stapling yet, this would fail more often than not.
This could be changed (by making the lack of OCSP response non-fatal), but that
would make the whole thing useless.
- application/pgp-signature attachment: Digital signature