From: Jim Jagielski <jim@apache.org>
Date: Mon, 27 Oct 2014 12:41:31 +0000 (+0000)
Subject: Merge r1633730 from trunk:
X-Git-Tag: 2.4.11~227
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5cec12c04261dbbcdee3ac275c9547b454411413;p=apache

Merge r1633730 from trunk:

add OCSP Stapling configuration, disabled by default
Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634521 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index ccb5483e3c..858b1774c0 100644
--- a/STATUS
+++ b/STATUS
@@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * default SSL configuration: provide sample OCSP Stapling configuration
-     trunk patch: http://svn.apache.org/r1633730
-     2.4.x patch: http://people.apache.org/~trawick/2.4.x-sample-ocsp-stapling.txt
-     +1: trawick, covener, gsmith
-
    * mod_substitute: Fix memory limitation in case of regexp plus flatten.
      trunk patch: http://svn.apache.org/r1628104
                   http://svn.apache.org/r1628918 (CHANGES)
diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index 21ef9bb8b8..87c99ce3e1 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -73,6 +73,31 @@ SSLPassPhraseDialog  builtin
 SSLSessionCache        "shmcb:@exp_runtimedir@/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 
+#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
+#
+#   This feature is disabled by default and requires at least
+#   the two directives SSLUseStapling and SSLStaplingCache.
+#   Refer to the documentation on OCSP Stapling in the SSL/TLS
+#   How-To for more information.
+#
+#   Enable stapling for all SSL-enabled servers:
+#SSLUseStapling On
+
+#   Define a relatively small cache for OCSP Stapling using
+#   the same mechanism that is used for the SSL session cache
+#   above.  If stapling is used with more than a few certificates,
+#   the size may need to be increased.  (AH01929 will be logged.)
+#SSLStaplingCache "shmcb:@exp_runtimedir@/ssl_stapling(32768)"
+
+#   Override the OCSP responder URL specified in the certificate
+#SSLStaplingForceURL http://ocsp.example.com/
+
+#   Seconds before valid OCSP responses are expired from the cache
+#SSLStaplingStandardCacheTimeout 3600
+
+#   Seconds before invalid OCSP responses are expired from the cache
+#SSLStaplingErrorCacheTimeout 600
+
 ##
 ## SSL Virtual Host Context
 ##