Changeset 2246a84 in mod_gnutls for doc/mod_gnutls_manual.mdwn


Ignore:
Timestamp:
Apr 21, 2018, 3:51:51 PM (19 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
7921dc7
Parents:
fa6d0bb
Message:

Make automatic OCSP cache updates and fuzz time configurable

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rfa6d0bb r2246a84  
    44
    55`mod_gnutls` is a module for the Apache web server that provides HTTPS
    6 (HTTP over Transport Layer Security (TLS) or the older Secure Sockets
    7 Layer (SSL)) using the GnuTLS library.  More information about the
    8 module can be found at [the project's website](https://mod.gnutls.org/).
     6(HTTP over Transport Layer Security (TLS)) using the GnuTLS library.
     7More information about the module can be found at
     8[the project's website](https://mod.gnutls.org/).
    99
    1010* * * * *
     
    568568OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
    569569
     570### GnuTLSOCSPAutoRefresh
     571
     572Regularly refresh cached OCSP response independent of TLS handshakes?
     573
     574    GnuTLSOCSPAutoRefresh [On|Off]
     575
     576Default: *on*\
     577Context: server config, virtual host
     578
     579By default `mod_gnutls` will regularly refresh the cached OCSP
     580response for hosts that have OCSP stapling enabled, regardless of
     581whether it is used. This has advantages over updating the OCSP
     582response only if a TLS handshake needs it:
     583
     584* Updating the cached response before it expires can hide short
     585  unavailability of the OCSP responder, if a repeated request is
     586  successful before the cache expires (see below).
     587
     588* Handshakes are not slowed down by fetching responses.
     589
     590The interval to the next request is determined as follows: After a
     591successful OCSP request the next one is scheduled for a random period
     592between `GnuTLSOCSPFuzzTime` and half of it before
     593`GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is
     5943600 seconds and the fuzz time 600 seconds, the next request will be
     595sent after 3000 to 3300 seconds. If the validity period of the
     596response expires before then, the selected interval is halved until it
     597is smaller than the time until expiry. If an OCSP request fails, it is
     598retried after `GnuTLSOCSPFailureTimeout`.
     599
     600Regularly updating the OCSP cache requires `mod_watchdog`,
     601`mod_gnutls` will fall back to updating the OCSP cache during
     602handshakes if `mod_watchdog` is not available or this option is set to
     603`Off`.
     604
    570605### GnuTLSOCSPCheckNonce
    571606
     
    640675one means that stapling will remain disabled for longer after a failed
    641676request.
     677
     678### GnuTLSOCSPFuzzTime
     679
     680Update the cached OCSP response up to this time before the cache expires
     681
     682    GnuTLSOCSPFuzzTime SECONDS
     683
     684Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\
     685Context: server config, virtual host
     686
     687Refreshing the cached response before it expires hides short OCSP
     688responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this
     689value is used, using at least twice `GnuTLSOCSPFailureTimeout` is
     690recommended.
    642691
    643692### GnuTLSOCSPSocketTimeout
Note: See TracChangeset for help on using the changeset viewer.