@selecadm @igrigorik Yes. Apache is notoriously bad here. Really, need an ocsp-daemon (which is how IIS does it, and Apple quasi-does-it)
-
-
Replying to @sleevi_
@selecadm@igrigorik Renew responses at expiry / 2, maintain fresh responses, handle interaction w/ proxy/firewalls as appropriate.1 reply 0 retweets 0 likes -
Replying to @ericlaw1 reply 0 retweets 1 like
-
Replying to @igrigorik
@igrigorik@ericlaw Unless things changed in past 2mo, it still _blocks_ on startup for response, doesn't renew, and will serve junk data2 replies 0 retweets 1 like -
Replying to @sleevi_
@sleevi_@igrigorik@ericlaw It's not that bad. nginx has always renewed, and has never blocked2 replies 0 retweets 1 like -
Replying to @__agwa
@__agwa@igrigorik@ericlaw It doesn't background renew though - it just evicts current so it stops serving until it renews, right?2 replies 0 retweets 0 likes -
Replying to @sleevi_
@sleevi_@igrigorik@ericlaw It kind of does background renew, but only if a worker process is actively receiving new connections.2 replies 0 retweets 0 likes -
Replying to @__agwa
@sleevi_@igrigorik@ericlaw So sometimes it could stop serving OCSP response, but other times renew will be seamless. Yay, nondeterminism!2 replies 0 retweets 2 likes -
Replying to @__agwa
@__agwa@sleevi_@igrigorik@ericlaw And unfortunately this means Must Staple is a non-starter unless you do out-of-band polling to a file.1 reply 0 retweets 2 likes
@j4cob @sleevi_ @igrigorik @ericlaw We should just toss all this code out the window and use short-lived certs instead :-D
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.