Changeset 546bf35 in mod_gnutls


Ignore:
Timestamp:
Jan 13, 2020, 10:52:16 AM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
adcd021
Parents:
9bc842e
Message:

Update documentation on OCSP stapling

Location:
doc
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.md

    r9bc842e r546bf35  
    523523---------------------------
    524524
    525 ### GnuTLSOCSPStapling
    526 
    527 Enable OCSP stapling for this (virtual) host.
    528 
    529     GnuTLSOCSPStapling [On|Off]
    530 
    531 Default: *on* if requirements are met, *off* otherwise\
    532 Context: server config, virtual host
    533 
    534525OCSP stapling, formally known as the TLS Certificate Status Request
    535526extension, allows the server to provide the client with a cached OCSP
     
    540531prevent the client from getting a response.
    541532
    542 Using OCSP stapling has a few requirements:
    543 
    544 * `GnuTLSCertificateFile` must contain the issuer CA certificate in
    545   addition to the server certificate so responses can be verified.
    546 * The server certificate must either contain an OCSP access URI using
    547   HTTP, or `GnuTLSOCSPResponseFile` must be set.
    548 * Caching OCSP responses requires a cache to store responses. If
    549   `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache
    550   automatically without additional configuration, see
    551   `GnuTLSOCSPCache`.
    552 
    553 Stapling is activated by default if these requirements are met. If
     533With TLS 1.2 stapling can be used only for the server certificate,
     534with TLS 1.3 mod\_gnutls supports stapling for all certificates in the
     535certificate chain except the root CA.
     536
     537Mod\_gnutls enables OCSP stapling by default if possible. The following
     538requirements must be met:
     539
     540* OCSP responses are verified using the issuer CAs of the certificates
     541  being checked, so the CAs must be included in
     542  [`GnuTLSCertificateFile`](#gnutlscertificatefile). Providing the
     543  whole certificate chain (including the root CA) is recommended.
     544
     545* Mod\_gnutls needs a cache to store OCSP responses for stapling. If
     546  [mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
     547  is loaded mod\_gnutls can set up the cache without additional
     548  configuration, for other options see
     549  [`GnuTLSOCSPCache`](#gnutlsocspcache).
     550
     551* The certificates must contain OCSP access URIs using HTTP so
     552  mod_gnutls can fetch responses, alternatively you may provide
     553  responses using [`GnuTLSOCSPResponseFile`](#gnutlsocspresponsefile).
     554
     555If a server certificate contains the "must-staple" extension (X.509
     556TLS Feature extension defined in [RFC
     5577633](https://tools.ietf.org/html/rfc7633)) and the configuration does
     558not support stapling mod_gnutls will refuse to start.
     559
     560By default mod\_gnutls regularly refreshes the cached OCSP responses
     561in the background, see
     562[`GnuTLSOCSPAutoRefresh`](#gnutlsocspautorefresh) for details.
     563
     564### GnuTLSOCSPStapling
     565
     566Enable OCSP stapling for this (virtual) host.
     567
     568    GnuTLSOCSPStapling [On|Off]
     569
     570Default: *on* if requirements are met, *off* otherwise\
     571Context: server config, virtual host
     572
     573Stapling is activated by default if the requirements [listed
     574above](#ocsp-stapling-configuration) are met.
     575
     576If the server certificate requires stapling ("must-staple") or
    554577`GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are
    555578an error.
     
    582605### GnuTLSOCSPAutoRefresh
    583606
    584 Regularly refresh cached OCSP response independent of TLS handshakes?
     607Regularly refresh cached OCSP responses independent of TLS handshakes?
    585608
    586609    GnuTLSOCSPAutoRefresh [On|Off]
     
    590613
    591614By default `mod_gnutls` will regularly refresh the cached OCSP
    592 response for hosts that have OCSP stapling enabled, regardless of
    593 whether it is used. This has advantages over updating the OCSP
    594 response only if a TLS handshake needs it:
     615responses, regardless of whether they are used. This has advantages
     616over updating OCSP responses only when a TLS handshake needs them:
     617
     618* Handshakes are not delayed by updating the OCSP response cache
     619  first.
    595620
    596621* Updating the cached response before it expires can hide short
    597622  unavailability of the OCSP responder, if a repeated request is
    598623  successful before the cache expires (see below).
    599 
    600 * Handshakes are not slowed down by fetching responses.
    601624
    602625The interval to the next request is determined as follows: After a
  • doc/style.css

    r9bc842e r546bf35  
    1111    padding: 12px;
    1212}
    13 p code {
     13p code, li code {
    1414    background: #f5f5f5;
    1515    border-radius: 4px;
Note: See TracChangeset for help on using the changeset viewer.