KB Article #180001

How Server Validator caches OCSP responses

Observed Behavior

In the Server Validator log file, you see that the first request always goes out to the responder or AIA, then it uses the cache subsequently for the remainder of that transaction and repeats the cycle on the next transaction. The problem is that when the responder and AIA are unavailable, the OCSP response is not taken from the cache.

Explanation

This behavior results from the architecture of Server Validator.

  • Server Validator is loaded as a module within Apache or OHS using the LoadModule directive in httpd.conf.
  • When Apache/OHS runs, it spawns multiple httpd processes. Each one will have its own in-memory copy of the vcapache module.
  • So, for each process, the cache will be different.
  • For all transactions in a particular process, the first request always goes out to the responder and subsequent requests will be from cache.
  • This behavior is exhibited till the cache expires or is full and then repeats.
  • Since Apache/OHS spawn multiple httpd processes, it is not possible to control which one handles the revocation check request.
  • Therefore, it is not possible to answer a new revocation check request from the cached result of an old one.