Comments (4)
It makes no sense to turn it off by default. OCSP stapling is a huge benefit to users and server operators. It means browsers don't need to hit the responders (saving a lot of traffic globally), it means the server can check periodically for revocation (which is not unheard of if a CA has a bug, mass revocation events happen).
The only time it makes sense to turn off is if your server isn't able to reach OCSP responders anyway, due to network conditions. But that's rare.
from caddy.
Caddy is neither a web browser nor a CA; the CAB forum rules do not apply to web servers. The new rule simply changes the requirements regarding OCSP for CAs to be trusted by web browsers, this has no affect on web servers.
Most CAs are still operating OCSP responders. Disabling OCSP stapling puts Web security at a disadvantage this point. OCSP stapling is a privacy enhancement and traffic reducer. Caddy will not be disabling it by default.
Any errors encountered during OCSP stapling, however, are not treated as fatal/blockers, they are logged, but not as errors.
I don't think there's anything actionable for us to do at this time, so I'll close this issue.
from caddy.
Ok but then please improve the cli output. Currently it shows up as an error but it should be more just an information.
Google, Mozilla, etc. won't use OCSP in the future so it won't be the "huge benefit" you describe.
(You can see within the ballot that Google, Mozilla and Apple voted for the change, not against it.)
from caddy.
What error?
from caddy.
Related Issues (20)
- Custom conditions for retrying proxy requests
- reverse_proxy: how to prevent stripping of headers with underscores / _ ? HOT 8
- Is fallback on a reverse_proxy's lb_policy being parsed properly? HOT 4
- Missing byte in first websocket message HOT 7
- `reverse_proxy` leads to duplicate `Server` headers HOT 6
- Unable to configure to Host: agnostic and port agnostic. HOT 2
- CADDY_ADMIN cannot be used to disable the admin interface HOT 1
- A placeholder cannot be used to disable the admin interface HOT 5
- Unexpected need of execute permissions HOT 2
- Docker build hangs HOT 1
- Intermittent “panic: runtime error: invalid memory address or nil pointer dereference” HOT 6
- (2.8.0-beta.1) CEL expressions in Caddyfile not processed properly HOT 5
- Caddy PKI without Root key HOT 11
- Reverse Proxy active health checks should not follow redirects by default
- Problems with reverse proxied server sent events and compression HOT 3
- Caddy on_demand_tls asking ask endpoint for self IP when no FQDN/SNI is used HOT 18
- Caddy log file permissions HOT 8
- Support passing FDs (socket activation) HOT 21
- Certificate renewal checks only using ipv6 dns even if it times out. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caddy.