Confirmed users
563
edits
NSS OCSP Brainstorming: Difference between revisions
Jump to navigation
Jump to search
→NSS' internal OCSP Cache
No edit summary |
|||
| Line 26: | Line 26: | ||
==NSS' internal OCSP Cache== | ==NSS' internal OCSP Cache== | ||
Starting with NSS version 3.11.7 NSS will cache OCSP responses. | |||
As of version 3.11.7, the cache will be cleared when the application switches any OCSP settings. | |||
As of version 3.11.7, if the OCSP server sends information for multiple certificates, only received information about the certificate of interested will be added to the cache. It has been proposed to optimize this in the future, however, it must be ensured that bulky responses will not kick more important information out of the cache. | |||
NSS uses a lower limit on retrying OCSP which is set to 1 hour by default (as of version 3.11.7). In relaxed mode, after NSS tried to obtain an OCSP response, NSS will not retry to fetch an answer again until after the end of this period. Even if no valid response could be obtained, NSS will remember this failure and not try until after the end of the period. | |||
This lower limit is used differently in strict mode. If NSS has no information cached at all about a certificate, it will attempt to talk to the OCSP server each time verification for such a certificate is requested. However, once a response could be received, NSS will use the cached information and not talk to the OCSP server until after the lower time boundary. | |||
==HTTP POST vs. HTTP GET== | ==HTTP POST vs. HTTP GET== | ||