CAcert System Admins discussion list

[Daniel Black <daniel AT cacert.org>]

On Saturday 26 September 2009 05:00:53 Philipp Gühring wrote:
> Hi,
> 
> > By the way, there is still an issue with Opera, in that it delays
> > connections to webservers for 15 seconds that are using CAcert
> > certificates. That problem is unrelated to OCSP.
> 
> I just researched that topic a little more, and discovered that it is
> actually OCSP stapling support that is missing on our Apache servers.
true - its missing from most web servers world wide.

> Therefore Opera waits for 15 seconds to receive the OCSP stapling TLS
> message, and then timeouts and does OCSP itself.

It is true that Opera requests the OCSP stapling as a extension however it 
processes TLS connections to other sites if they don't support it.

As per https://lists.cacert.org/wws/arc/cacert/2009-09/msg00063.html I just ;
see it aborting the TLS connection after seeing the server done and waits a 
little bit before displaying a user error. The TLS connection is aborted well 
before it starts to wait. If the server supports OCSP stapling the message 
comes in the Server Hello message.

interesting that it downloads a CRL and does the external OCSP request before 
after the client hello - on about the second TLS connection.

> Unfortunately, OCSP stapling hasn't been officially shipped in Apache
> yet (as of 2.2.13), I guess that IIS has it already.
I checked www.pcunet2.com.au which has IIS and it doesn't doe OCSP. IIS 
doesn't even do SNI.

From what I've seen it just seems to be CAcert certificate signed sites.

--
Daniel Black
Infrastructure Administrator
CAcert

Attachment: signature.asc
Description: This is a digitally signed message part.