@igrigorik Sadly, nginx and apache's implementations are bad enough that doing so will create even more issues :(
-
-
Replying to @sleevi_
Adm Selec Retweeted Ivan Ristic
@sleevi_@igrigorik SSL Labs had to disable it:https://twitter.com/ivanristic/status/667463862086737921 …Adm Selec added,
1 reply 2 retweets 4 likes -
Replying to @selecadm
@selecadm@igrigorik Yes. Apache is notoriously bad here. Really, need an ocsp-daemon (which is how IIS does it, and Apple quasi-does-it)1 reply 0 retweets 1 like -
Replying to @sleevi_
@selecadm@igrigorik Renew responses at expiry / 2, maintain fresh responses, handle interaction w/ proxy/firewalls as appropriate.1 reply 0 retweets 0 likes -
Replying to @ericlaw1 reply 0 retweets 1 like
-
Replying to @igrigorik
@igrigorik@ericlaw Unless things changed in past 2mo, it still _blocks_ on startup for response, doesn't renew, and will serve junk data2 replies 0 retweets 1 like -
Replying to @sleevi_
@igrigorik@ericlaw Also has issues if you have other certs w/o OCSP data. Also doesn't let you specify OCSP responder URL.1 reply 0 retweets 0 likes -
Replying to @sleevi_
@igrigorik@ericlaw I know that@__agwa did a strafing run on some of the low-hanging hanging fruit (serving expired responses, for ex)1 reply 0 retweets 1 like -
Replying to @sleevi_
@igrigorik@ericlaw@__agwa Although reading that patch and converting OpenSSL times to time_t = emsaddened for 2038 issues ;)3 replies 0 retweets 0 likes
@sleevi_ @igrigorik @ericlaw My patch didn't use time_t, but they rewrote it to avoid OpenSSL times b/c of "complex string operations" ;-)
-
-
Replying to @__agwa
@__agwa@igrigorik@ericlaw Yes, comparing characters for < is soOooo complex ;)0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.