Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: SSL performance depends on OCSP response time |
|
| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3118
Location: Hilversum, NL, EU
|
 Posted: Fri 26 Apr '13 14:50 Post subject: SSL performance depends on OCSP response time |
 |
|
When a visitor accesses a website, the browser needs to check the validity status of the SSL Certificate before the content is rendered to the waiting visitor. CRLs and OCSP are standard compliant ways of doing revocation checking. The speed at which this happens depends on the reliability and performance of the CA's infrastructure, and will have a direct impact on your website performance. The shorter the validation time, the faster your website will load for website visitors.
See the Report. StartSSL's OCSP response time appears to be ten times faster than Geotrust/RapidSSL/Symantec. And I have StartSSL certficates.
https://revocation-report.x509labs.com/#ocsp=root,crl=root,ocspRange=2013-04-18+2013-04-24,crlRange=2013-04-18+2013-04-24
Steffen |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 26 Apr '13 19:57 Post subject: |
|
|
StarSSL's OCSP server may be 10 times faster, but it's unavailable plenty.
[Thu Apr 25 01:50:26.524125 2013] [ssl:error] [pid 1020:tid 780] [client xxx.xxx.xxx.xxx:3783] AH01980: bad response from OCSP server: 503 Service Unavailable
[Tue Apr 23 04:20:19.039750 2013] [ssl:error] [pid 1020:tid 708] [client yyy.yyy.yyy.yyyy:50963] AH01980: bad response from OCSP server: 503 Service Unavailable |
|
| Back to top |
|
|
|
|
|
|
