From: Rich Bowen Date: Sat, 2 May 2026 20:22:10 +0000 (+0000) Subject: Bug 62031: Add OCSP Stapling production tuning recommendations to SSL howto X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0395e1df082b85b3a8931fd86a2e2a480dca348;p=thirdparty%2Fapache%2Fhttpd.git Bug 62031: Add OCSP Stapling production tuning recommendations to SSL howto git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933726 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 9f1b2c45d0..c4f541a0bd 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -302,6 +302,40 @@ and SSLCertificateFile for instructions for configuring the certificate chain.

+
+Tuning OCSP Stapling for production +

The default OCSP stapling settings are conservative and may +result in excessive queries to OCSP responders, timeouts, or +error responses being cached for too long. The following settings +are recommended for production use:

+ + +# Do not pass OCSP responder errors to clients: +SSLStaplingReturnResponderErrors off + +# Reduce the OCSP responder timeout from the default 10s: +SSLStaplingResponderTimeout 4 + +# Cache valid OCSP responses for 48 hours (default: 1 hour). +# This reduces load on OCSP responders and avoids transient +# errors caused by frequent queries: +SSLStaplingStandardCacheTimeout 172800 + +# Retry failed OCSP queries after 60 seconds instead of the +# default 600s: +SSLStaplingErrorCacheTimeout 60 + + +

These settings address common issues where default OCSP stapling +produces errors under load — particularly when OCSP responders are +slow or unreliable. See the individual directive documentation for +SSLStaplingReturnResponderErrors, +SSLStaplingResponderTimeout, +SSLStaplingStandardCacheTimeout, and +SSLStaplingErrorCacheTimeout +for details.

+
+