[jetty-users] OCSP stapling issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] OCSP stapling issues

From: Matthias Pfau <matthias.pfau@xxxxxxxx>
Date: Sun, 6 Sep 2020 11:16:24 +0200 (CEST)
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi there,
we just had some problems with OCSP stapling as we did not receive responses from OCSP responder which ultimately lead to qtp threadpool congestion.

We enabled OCSP stapling by setting "jdk.tls.server.enableStatusRequestExtension" to true. A thread dump revealed that nearly all threads were waiting to on the OCSP responders answers (see https://gist.github.com/mpfau/5fb8a4ffdf3f7b62c5856b5ef27b8f0a for a thread stack).

I thought that  server side OCSP stapling had been implemented in a lazy async fashion but it does not seem like this is the case. Did anyone else experience this or has found a solution? Is this a JDK or a jetty problem?

Would also be nice if one could define which interface/ip should be used to send OCSP requests. Is that possible?

Thanks!

Best,
Matthias

Follow-Ups:
- Re: [jetty-users] OCSP stapling issues
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] jetty-maven-plugin: minimal HTTPS example?
Next by Date: Re: [jetty-users] OCSP stapling issues
Previous by thread: [jetty-users] CrossOriginFilter
Next by thread: Re: [jetty-users] OCSP stapling issues
Index(es):
- Date
- Thread

Breadcrumbs