11 Jan
2023
11 Jan
'23
8:23 p.m.
OCSP support was introduced in the latest development cycle. In improves revocation check performance in general, although the caching is currently performed by CRL revocation check only. Also, even that result is not used before performing OCSP check which goes first, effectively forcing OCSP check to be always performed when a certificate has OCSP info. That leads to performance regression in some cases.
I believe once we validated revocation either way it is safe to assume the cached result valid until NextUpdate regardless of the method (that what the first patch does). Then, we can also cache the result of OCSP response the same way we do for CRL (second patch).