[SSL] OCSP check times out #13

ameshkov · 2015-07-19T12:22:22Z

Problem

OCSP check can time out. In this case AG makes an async check with an infinite timeout. The problem here is that until that check is finished AG counts cert valid.

Why?

OCSP servers are slow so revocation check can easily timed out.

What can we do?

Increase default OCSP check timeout
Use CRLSet just like Chrome does.

It is not very good solution though:
https://www.imperialviolet.org/2014/04/29/revocationagain.html
https://code.google.com/p/chromium/issues/detail?id=361820
https://www.grc.com/revocation/crlsets.htm
http://www.zdnet.com/article/chrome-does-certificate-revocation-better/

ameshkov · 2015-07-19T12:41:33Z

Chromium code:
http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/cert_verify_proc_win.cc

They do no revocation check except CRLSet on the main thread for non-EV certs, only async check.

ameshkov · 2015-08-11T09:21:13Z

At least we should implement OCSP stapling

gshumihin · 2015-08-17T12:30:15Z

OCSP stapling implemented

ameshkov added the bug label Jul 19, 2015

ameshkov added this to the 6.0 beta milestone Jul 19, 2015

ameshkov changed the title ~~[SSL] OCSP check fails on some windows configurations~~ [SSL] OCSP check times out Jul 19, 2015

ameshkov closed this as completed Aug 17, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SSL] OCSP check times out #13

[SSL] OCSP check times out #13

ameshkov commented Jul 19, 2015

ameshkov commented Jul 19, 2015

ameshkov commented Aug 11, 2015

gshumihin commented Aug 17, 2015

[SSL] OCSP check times out #13

[SSL] OCSP check times out #13

Comments

ameshkov commented Jul 19, 2015

Problem

Why?

What can we do?

ameshkov commented Jul 19, 2015

ameshkov commented Aug 11, 2015

gshumihin commented Aug 17, 2015