Ocsp Responder Caching

Written by  on Februar 5, 2016 

Dreht man einen Microsoft OCSP Responder ab, schlägt das Monitoring darauf nicht an. Warum?

Weil die OCSP Responses vom IIS gecached werden und zwar für so lange wie auch die CRL noch gültig wäre!

Response caching. After a request is received and a certificate serial number is extracted, the Online Responder Web proxy will check the local cache for a valid response. The cache is implemented as part of the ISAPI extension and is an in-memory cache. If a client request generates a cache fault, the Online Responder Web proxy will make a request to the Online Responder service for a response. The cache item validity period is set to the CRL validity period from which the response was generated or to the signing key validity, whichever is shorter.

Zusätzlich wird noch für 120 Sekunden gecached.

In addition to the OCSP ISAPI extension caching, the IIS HTTP.SYS library performs caching for 120 seconds. Multiple requests to the Online Responder in that time period will be served with the HTTP.SYS-cached response.

Online Responder Installation, Configuration, and Troubleshooting Guide

Category : Allgemein

Tags :

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.