Use the stapled OCSP response from TLS on Linux, when available
Based on (non-exhaustive) testing, chain builds from a Let's Encrypt issued certificate have the following characteristics: * Live OCSP request required (uncached/unstapled): 577ms * OCSP response retrieved from cache (unstapled): 183ms * OCSP response utilized from TLS stapling (bypasses cache): 182ms In both cached and stapled the revocation portion was about 39ms. (The revocation mode was ExcludeRoot, the CRL pertaining to the intermediate was cached for all three measurements.) If the OCSP response was stapled (and the math worked out OK on it) then we completely ignore the OCSP cache. While it could potentially be useful to update the cache if the stapled response was newer, the extra I/O of doing the "newer" test didn't feel justified at this time.
Showing
想要评论请 注册 或 登录