Changeset 2246a84 in mod_gnutls for doc/mod_gnutls_manual.mdwn
- Timestamp:
- Apr 21, 2018, 3:51:51 PM (3 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 7921dc7
- Parents:
- fa6d0bb
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rfa6d0bb r2246a84 4 4 5 5 `mod_gnutls` is a module for the Apache web server that provides HTTPS 6 (HTTP over Transport Layer Security (TLS) or the older Secure Sockets7 Layer (SSL)) using the GnuTLS library. More information about the 8 module can be found at[the project's website](https://mod.gnutls.org/).6 (HTTP over Transport Layer Security (TLS)) using the GnuTLS library. 7 More information about the module can be found at 8 [the project's website](https://mod.gnutls.org/). 9 9 10 10 * * * * * … … 568 568 OCSP cache updates are serialized using the `gnutls-ocsp` mutex. 569 569 570 ### GnuTLSOCSPAutoRefresh 571 572 Regularly refresh cached OCSP response independent of TLS handshakes? 573 574 GnuTLSOCSPAutoRefresh [On|Off] 575 576 Default: *on*\ 577 Context: server config, virtual host 578 579 By default `mod_gnutls` will regularly refresh the cached OCSP 580 response for hosts that have OCSP stapling enabled, regardless of 581 whether it is used. This has advantages over updating the OCSP 582 response only if a TLS handshake needs it: 583 584 * Updating the cached response before it expires can hide short 585 unavailability of the OCSP responder, if a repeated request is 586 successful before the cache expires (see below). 587 588 * Handshakes are not slowed down by fetching responses. 589 590 The interval to the next request is determined as follows: After a 591 successful OCSP request the next one is scheduled for a random period 592 between `GnuTLSOCSPFuzzTime` and half of it before 593 `GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is 594 3600 seconds and the fuzz time 600 seconds, the next request will be 595 sent after 3000 to 3300 seconds. If the validity period of the 596 response expires before then, the selected interval is halved until it 597 is smaller than the time until expiry. If an OCSP request fails, it is 598 retried after `GnuTLSOCSPFailureTimeout`. 599 600 Regularly updating the OCSP cache requires `mod_watchdog`, 601 `mod_gnutls` will fall back to updating the OCSP cache during 602 handshakes if `mod_watchdog` is not available or this option is set to 603 `Off`. 604 570 605 ### GnuTLSOCSPCheckNonce 571 606 … … 640 675 one means that stapling will remain disabled for longer after a failed 641 676 request. 677 678 ### GnuTLSOCSPFuzzTime 679 680 Update the cached OCSP response up to this time before the cache expires 681 682 GnuTLSOCSPFuzzTime SECONDS 683 684 Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\ 685 Context: server config, virtual host 686 687 Refreshing the cached response before it expires hides short OCSP 688 responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this 689 value is used, using at least twice `GnuTLSOCSPFailureTimeout` is 690 recommended. 642 691 643 692 ### GnuTLSOCSPSocketTimeout
Note: See TracChangeset
for help on using the changeset viewer.