Changeset 546bf35 in mod_gnutls
- Timestamp:
- Jan 13, 2020, 10:52:16 AM (2 years ago)
- Branches:
- asyncio, master, proxy-ticket
- Children:
- adcd021
- Parents:
- 9bc842e
- Location:
- doc
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.md
r9bc842e r546bf35 523 523 --------------------------- 524 524 525 ### GnuTLSOCSPStapling526 527 Enable OCSP stapling for this (virtual) host.528 529 GnuTLSOCSPStapling [On|Off]530 531 Default: *on* if requirements are met, *off* otherwise\532 Context: server config, virtual host533 534 525 OCSP stapling, formally known as the TLS Certificate Status Request 535 526 extension, allows the server to provide the client with a cached OCSP … … 540 531 prevent the client from getting a response. 541 532 542 Using OCSP stapling has a few requirements: 543 544 * `GnuTLSCertificateFile` must contain the issuer CA certificate in 545 addition to the server certificate so responses can be verified. 546 * The server certificate must either contain an OCSP access URI using 547 HTTP, or `GnuTLSOCSPResponseFile` must be set. 548 * Caching OCSP responses requires a cache to store responses. If 549 `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache 550 automatically without additional configuration, see 551 `GnuTLSOCSPCache`. 552 553 Stapling is activated by default if these requirements are met. If 533 With TLS 1.2 stapling can be used only for the server certificate, 534 with TLS 1.3 mod\_gnutls supports stapling for all certificates in the 535 certificate chain except the root CA. 536 537 Mod\_gnutls enables OCSP stapling by default if possible. The following 538 requirements must be met: 539 540 * OCSP responses are verified using the issuer CAs of the certificates 541 being checked, so the CAs must be included in 542 [`GnuTLSCertificateFile`](#gnutlscertificatefile). Providing the 543 whole certificate chain (including the root CA) is recommended. 544 545 * Mod\_gnutls needs a cache to store OCSP responses for stapling. If 546 [mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html) 547 is loaded mod\_gnutls can set up the cache without additional 548 configuration, for other options see 549 [`GnuTLSOCSPCache`](#gnutlsocspcache). 550 551 * The certificates must contain OCSP access URIs using HTTP so 552 mod_gnutls can fetch responses, alternatively you may provide 553 responses using [`GnuTLSOCSPResponseFile`](#gnutlsocspresponsefile). 554 555 If a server certificate contains the "must-staple" extension (X.509 556 TLS Feature extension defined in [RFC 557 7633](https://tools.ietf.org/html/rfc7633)) and the configuration does 558 not support stapling mod_gnutls will refuse to start. 559 560 By default mod\_gnutls regularly refreshes the cached OCSP responses 561 in the background, see 562 [`GnuTLSOCSPAutoRefresh`](#gnutlsocspautorefresh) for details. 563 564 ### GnuTLSOCSPStapling 565 566 Enable OCSP stapling for this (virtual) host. 567 568 GnuTLSOCSPStapling [On|Off] 569 570 Default: *on* if requirements are met, *off* otherwise\ 571 Context: server config, virtual host 572 573 Stapling is activated by default if the requirements [listed 574 above](#ocsp-stapling-configuration) are met. 575 576 If the server certificate requires stapling ("must-staple") or 554 577 `GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are 555 578 an error. … … 582 605 ### GnuTLSOCSPAutoRefresh 583 606 584 Regularly refresh cached OCSP response independent of TLS handshakes?607 Regularly refresh cached OCSP responses independent of TLS handshakes? 585 608 586 609 GnuTLSOCSPAutoRefresh [On|Off] … … 590 613 591 614 By default `mod_gnutls` will regularly refresh the cached OCSP 592 response for hosts that have OCSP stapling enabled, regardless of 593 whether it is used. This has advantages over updating the OCSP 594 response only if a TLS handshake needs it: 615 responses, regardless of whether they are used. This has advantages 616 over updating OCSP responses only when a TLS handshake needs them: 617 618 * Handshakes are not delayed by updating the OCSP response cache 619 first. 595 620 596 621 * Updating the cached response before it expires can hide short 597 622 unavailability of the OCSP responder, if a repeated request is 598 623 successful before the cache expires (see below). 599 600 * Handshakes are not slowed down by fetching responses.601 624 602 625 The interval to the next request is determined as follows: After a -
doc/style.css
r9bc842e r546bf35 11 11 padding: 12px; 12 12 } 13 p code {13 p code, li code { 14 14 background: #f5f5f5; 15 15 border-radius: 4px;
Note: See TracChangeset
for help on using the changeset viewer.