On 2023/09/26 10:48:23 Mark Thomas wrote: > Hi, > > This is an old thread (2021) but relevant to BZ 67061 [1]. > > In short, optionalNoCA doesn't work unless OCSP is also disabled. > > Do we: > > a) Always skip the OCSP check if optionalNoCA is used (and document this > for optionalNoCA)? > > b) Leave the code unchanged and document that using optionalNoCA also > requires OCSP to be explicitly disabled? > > My understanding from the 2021 thread is that we agreed to implement a) > although it looks like that never happened. > > Unless there are objections, I intend to implement a) shortly.
I tripped over this two years ago and was suprised was the Tomcat responses are so slow, it turned out: * our OCSP responder was abysmally slow * OCSP check was *enabled* by default and only a hack by Rainer did disable it. I would highly prefer that we have the logical equivalent of https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslocspenable (attribute "ocspEnable" or alike in consistence of other attributes), not even speaking about the other options. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
