Reputation: 670
OCSP Stamping and Server Side Status check when OCSP server is NOT reachable causing 5 seconds delay for TLS handshake
We wanted to use the OCSP (Online Certificate Status Protocol) feature with the TLS handshake, aka OCSP stapling. As part of that, we turned it on at the JDK level by passing the flag "-Djdk.tls.server.enableStatusRequestExtension=true". As a result, the TLS handshake took more than 5 seconds due to the unreachable (firewall) OCSP server from the server. Based on this link https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html, we can reduce this by using '-Djdk.tls.stapling.responseTimeout=1000'
Is there any way to have JDK cache ERROR response and try only after 'jdk.tls.stapling.cacheLifetime=3600' (1 hr) again? The Observation is that each TLS handshake is paying the penalty of 5 seconds when the OCSP server is not reachable because the response is NOT found in the Cache.
Any way to avoid this or cache an ERROR response? is there any way to customize this behavior OCSP caching?
Thanks
Upvotes: 0
Views: 28
Answers (0)
Related Questions
- root ca not trusted - OCSP responder with nginx https server
- Why is the OCSP stapling callback called AFTER the verification callback?
- OCSP revocation checking before completing TLS handshake
- javax.net.ssl.SSLHandshakeException from IBM's Watson assistant API
- Java 9 and TLS OCSP stapling
- Is this invocation of "openssl s_client -connect" actually querying OCSP responder servers to confirm the current validity of certificates?
- OpenSSL certificate revocation check in client program using OCSP stapling 2
- Server 2008 do not cache the CRL and OCSP
- Embedding OCSP certificate status in PDF signature: not working when the OCSP responderCert != issuerCert