[jessie] Enable OCSP Stapling for TorProject.org

It would be very good if TorProject.org and related websites (blog, trac) enabled OCSP stapling. This would not require someone to 'choose' (I say choose cause it's an option you set, not something you choose on each visit) between checking for up-to-date revocation information and violating their privacy by leaking the visit for TP to a random third party.

added component::internal services/tor sysadmin team priority::medium resolution::fixed severity::normal status::closed type::defect labels

This would be a sysadmin thing.

Trac:
Component: Website to Tor Sysadmin Team

AIUI, from a quick glance, this requires at least apache httpd 2.3.

Trac:
Summary: Enable OCSP Stapling for TorProject.org to [jessie] Enable OCSP Stapling for TorProject.org

That is accurate.

When upgrading to Apache 2.4 I have found that some modules I used did not support 2.4, but most did. I'm assuming you're not using mod_mono ;) but I'd be curious if the blocker is lack of time to test and deploy an upgrade, lack of desire to use 2.4 for some reason (and why), or if software in use does not support it, in which case I can go try and figure out that problem =)

It means we probably will have to upgrade to jessie first. Once that is done, we can re-visit the issue.

on jessie hosts, we do that now.

Trac:
Status: new to closed
Resolution: N/A to fixed

OCSP stapling is not working on www.torproject.org, trac.torproject.org, blog.torproject.org.

openssl s_client -connect www.torproject.org:443 -tls1_2 -tlsextdebug -status CONNECTED(00000007) TLS server extension "renegotiation info" (id=65281), len=1 0001 - <SPACES/NULS> TLS server extension "EC point formats" (id=11), len=4 0000 - 03 00 01 02 .... TLS server extension "session ticket" (id=35), len=0 TLS server extension "heartbeat" (id=15), len=1 0000 - 01 . OCSP response: no response sent [...]

(TBB is sending OCSP requests for *.torproject.org to ocsp.digicert.com.)

Trac:
Username: someone_else
Status: closed to reopened
Resolution: fixed to N/A

I said we do that on jessie hosts. Not all our hosts do jessie yet.

Trac:
Resolution: N/A to fixed
Status: reopened to closed

Replying to weasel:

I said we do that on jessie hosts. Not all our hosts do jessie yet.

From what I can tell there are exactly 0 publically accessible jessie hosts.

All of these don't do OCSP stapling: archive.torproject.org blog.torproject.org bwauth.torproject.org compass.torproject.org consensus-health.torproject.org db.torproject.org git.torproject.org gitweb.torproject.org jenkins.torproject.org lists.torproject.org media.torproject.org metrics.torproject.org munin.torproject.org nagios.torproject.org people.torproject.org rt.torproject.org svn.torproject.org trac.torproject.org translation.torproject.org weather.torproject.org www.torproject.org

alberti.torproject.org archeotrichon.torproject.org aroides.torproject.org eugeni.torproject.org gayi.torproject.org listera.torproject.org majus.torproject.org materculae.torproject.org meronense.torproject.org mongolicum.torproject.org moschatum.torproject.org motor.torproject.org nova.torproject.org omeiense.torproject.org perdulce.torproject.org polyanthum.torproject.org rouyi.torproject.org rude.torproject.org schmitzi.torproject.org stellatum.torproject.org tanguticum.torproject.org troodi.torproject.org vineale.torproject.org yatei.torproject.org

All other machines listed on https://db.torproject.org/machines.cgi are not accessible.

Trac:
Username: someone_else

apache falls over in various mutex failures when ocsp stapling is enabled. Thus not using it after all.

Trac:
Sponsor: N/A to N/A
Severity: N/A to Normal

closed

mentioned in issue #13625 (moved)