debian/masterdebian/stretch-backportsupstream
|
Last change
on this file since b0e4ce6 was
e1c094c,
checked in by Thomas Klute <thomas2.klute@…>, 3 years ago
|
|
Replace GnuTLSOCSPGraceTime with GnuTLSOCSPCacheTimeout
Configuring a timeout instead a time relative to the nextUpdate field
of the OCSP response has two main advantages:
- The maximum cache lifetime is independent of any external data. The
OCSP response is signed and the CA generally a trusted entity, but
its policy is almost always outside the server admin's control and
might change.
- The principle is a lot simpler and thus less likely to lead to
implementation or configuration errors.
Additionally a static timeout policy should make it easier to
implement asynchronous cache updates for MPMs that support it.
|
-
Property mode set to
100644
|
|
File size:
387 bytes
|
| Line | |
|---|
| 1 | Define OCSP_PORT ${OCSP_PORT} |
|---|
| 2 | |
|---|
| 3 | Include ${srcdir}/base_apache.conf |
|---|
| 4 | Include ${srcdir}/ocsp_server.conf |
|---|
| 5 | GnuTLSCache dbm cache/gnutls_cache |
|---|
| 6 | |
|---|
| 7 | <VirtualHost _default_:${TEST_PORT}> |
|---|
| 8 | ServerName ${TEST_HOST} |
|---|
| 9 | GnuTLSEnable On |
|---|
| 10 | GnuTLSOCSPStapling On |
|---|
| 11 | GnuTLSOCSPCacheTimeout 60 |
|---|
| 12 | GnuTLSCertificateFile server/x509-chain.pem |
|---|
| 13 | GnuTLSKeyFile server/secret.key |
|---|
| 14 | GnuTLSPriorities NORMAL |
|---|
| 15 | </VirtualHost> |
|---|
Note: See
TracBrowser
for help on using the repository browser.
