[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] OCSP stapling issues
|
Hi,
On Sun, Sep 6, 2020 at 11:16 AM Matthias Pfau <matthias.pfau@xxxxxxxx> wrote:
>
> Hi there,
> we just had some problems with OCSP stapling as we did not receive responses from OCSP responder which ultimately lead to qtp threadpool congestion.
>
> We enabled OCSP stapling by setting "jdk.tls.server.enableStatusRequestExtension" to true. A thread dump revealed that nearly all threads were waiting to on the OCSP responders answers (see https://gist.github.com/mpfau/5fb8a4ffdf3f7b62c5856b5ef27b8f0a for a thread stack).
>
> I thought that server side OCSP stapling had been implemented in a lazy async fashion but it does not seem like this is the case. Did anyone else experience this or has found a solution? Is this a JDK or a jetty problem?
It is a JDK issue, since Jetty does not control how OCSP requests are
made, it delegates them to the JDK.
Please open an issue at https://bugreport.java.com/
> Would also be nice if one could define which interface/ip should be used to send OCSP requests. Is that possible?
That should be possible by setting the OCSP responderURL via
`SslContextFactory.setOcspResponderURL(String)`.
Have you tried already?
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
