ouch.. "OCSP checks timeout ~15% of the time, and take 350ms when successful": http://mzl.la/1P8aGs4 - tip: configure OCSP stapling!
-
-
@__agwa@igrigorik@ericlaw It doesn't background renew though - it just evicts current so it stops serving until it renews, right? -
@sleevi_@igrigorik@ericlaw It kind of does background renew, but only if a worker process is actively receiving new connections. -
@sleevi_@igrigorik@ericlaw So sometimes it could stop serving OCSP response, but other times renew will be seamless. Yay, nondeterminism! -
@__agwa@sleevi_@igrigorik@ericlaw And unfortunately this means Must Staple is a non-starter unless you do out-of-band polling to a file. -
@j4cob@sleevi_@igrigorik@ericlaw We should just toss all this code out the window and use short-lived certs instead :-D
End of conversation
New conversation -
-
-
@sleevi_@igrigorik@ericlaw OTOH, not blocking leads to different problem: it will return no OCSP response at all if it's not ready yet -
@__agwa@sleevi_@igrigorik@ericlaw I use https://sslanalyzer.comodoca.com to force nginx OCSP Stapling after (re)start.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.