Enable OCSP stapling

[bn4t]

Enable OCSP stapling as it increases performance and privacy.
Is also recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/

Feel free to share any thoughts on this.

[kyrofa]

I'm not so sure we want to deal with this (yet). It sounds like the implementation in Apache is a mess.

[bn4t]

Should I close issue, or leave it open?

[Guillaume99]

implementation in Apache is a mess.

quoted article has been updated, stating that "the situation has improved considerably"
maybe it is time now ?

[github-actions]

This issue is stale because it has been without activity for 60 days. It will be closed after 7 more days of inactivity.

[pachulo]

OK, I've been checking this and to do it the "better" way we need to use this mod_md apache module:

• https://github.com/icing/mod_md#how-to-staple-all-my-certificates

I would like to try to implement it if you think it's worthwhile @kyrofa

[pachulo]

gently ping @kyrofa

[kyrofa]

It's interesting that mod_md might be considered the solution to this, @pachulo. It might tie together with the solution to #1902 as well, potentially. Stuff like this makes me nervous though:

That being said, it is a new implementation. There will be bugs lurking and it is probably good advice to switch from the old stapling in a controlled way. Start with some domains and see how it works for you.

The idea of essentially making our users into unwitting beta testers makes me uncomfortable. When it breaks we're holding the pieces. What do you think?

[pachulo]

The idea of essentially making our users into unwitting beta testers makes me uncomfortable. When it breaks we're holding the pieces. What do you think?

Well, to be honest, I don't feel like doing it in that case. I don't really think it's such an important feature for us to rush.