Changeset 5a5032f in mod_gnutls for doc


Ignore:
Timestamp:
Jun 20, 2016, 2:50:50 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
e9ef72c
Parents:
4c529de
git-author:
Thomas Klute <thomas2.klute@…> (06/20/16 12:31:13)
git-committer:
Thomas Klute <thomas2.klute@…> (06/20/16 14:50:50)
Message:

Documentation for OCSP stapling options

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rc005645 r5a5032f  
    546546takes the same parameters as `GnuTLSPriorities`. Required if
    547547`GnuTLSProxyEngine` is `On`.
     548
     549`GnuTLSOCSPStapling`
     550------------------
     551
     552EXPERIMENTAL: Enable OCSP stapling for this (virtual) host.
     553
     554    GnuTLSOCSPStapling [On|Off]
     555
     556Default: *off*\
     557Context: server config, virtual host
     558
     559OCSP stapling, formally known as the TLS Certificate Status Request
     560extension, allows the server to provide the client with an OCSP
     561response for its certificate during the handshake. This way the client
     562does not have to send an OCSP request to the CA to check the
     563certificate status, which offers privacy and performance advantages.
     564
     565Using OCSP stapling has a few requirements:
     566
     567* Caching OCSP responses requires a cache, so `GnuTLSCache` must not
     568  be `none`.
     569* `GnuTLSCertificateFile` must contain the issuer CA certificate in
     570  addition to the server certificate so responses can be verified.
     571* The certificate must either contain an OCSP access URI using HTTP,
     572  or `GnuTLSOCSPResponseFile` must be set.
     573
     574OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
     575
     576`GnuTLSOCSPResponseFile`
     577------------------
     578
     579EXPERIMENTAL: Read the OCSP response for stapling from this file
     580instead of sending a request over HTTP
     581
     582    GnuTLSOCSPResponseFile /path/to/response.der
     583
     584Default: *empty*\
     585Context: server config, virtual host
     586
     587The response file must be updated externally, for example using a cron
     588job. This option is an alternative to the server fetching OCSP
     589responses over HTTP. Reasons to use this option include:
     590
     591* Performing OCSP requests separate from the web server, to prevent slow
     592  responses from stalling handshakes.
     593* The issuer CA uses an access method other than HTTP.
     594* Testing
     595
     596`GnuTLSOCSPGraceTime`
     597------------------
     598
     599EXPERIMENTAL: Replace cached OCSP responses this many seconds before
     600they expire.
     601
     602    GnuTLSOCSPGraceTime SECONDS
     603
     604Default: *60*\
     605Context: server config, virtual host
     606
     607A cached OCSP response should be updated a little before it expires to
     608account for potential clock skew between server, CA, and client, as
     609well as transmission time in corner cases.
    548610
    549611* * * * *
Note: See TracChangeset for help on using the changeset viewer.