From 008837ab2c29f5ced34ee7ebe0f12f49ad008578 Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@apache.org>
Date: Thu, 23 Oct 2014 12:01:13 +0000
Subject: [PATCH] make docs

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1633797 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/ssl/ssl_howto.html.en  | 117 +++++++++++++++++++++++++++++
 docs/manual/ssl/ssl_howto.html.fr  |   2 +
 docs/manual/ssl/ssl_howto.xml.fr   |   2 +-
 docs/manual/ssl/ssl_howto.xml.meta |   2 +-
 4 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en
index a488980893..c19a424ca1 100644
--- a/docs/manual/ssl/ssl_howto.html.en
+++ b/docs/manual/ssl/ssl_howto.html.en
@@ -33,6 +33,7 @@ before progressing to the advanced techniques.</p>
 </div>
 <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#configexample">Basic Configuration Example</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ocspstapling">OCSP Stapling</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#logging">Logging</a></li>
 </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
@@ -101,6 +102,122 @@ SSLCipherSuite HIGH:!aNULL:!MD5
 &lt;/Location&gt;</pre>
 
 
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ocspstapling" id="ocspstapling">OCSP Stapling</a></h2>
+
+
+<p>The Online Certificate Status Protocol (OCSP) is a mechanism for
+determining whether or not a server certificate has been revoked, and OCSP
+Stapling is a special form of this in which the server, such as httpd and
+mod_ssl, maintains current OCSP responses for its certificates and sends
+them to clients which communicate with the server.  Most certificates
+contain the address of an OCSP responder maintained by the issuing
+Certificate Authority, and mod_ssl can communicate with that responder to
+obtain a signed response that can be sent to clients communicating with
+the server.</p>
+
+<p>Because the client can obtain the certificate revocation status from
+the server, without requiring an extra connection from the client to the
+Certificate Authority, OCSP Stapling is the preferred way for the
+revocation status to be obtained.  Other benefits of eliminating the 
+communication between clients and the Certificate Authority are that the
+client browsing history is not exposed to the Certificate Authority and
+obtaining status is more reliable by not depending on potentially heavily
+loaded Certificate Authority servers.</p>
+
+<p>Because the response obtained by the server can be reused for all clients
+using the same certificate during the time that the response is valid, the
+overhead for the server is minimal.</p>
+
+<p>Once general SSL support has been configured properly, enabling OCSP
+Stapling generally requires only very minor modifications to the httpd
+configuration &#8212; the addition of these two directives:</p>
+
+    <pre class="prettyprint lang-config">SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"</pre>
+
+
+<p>These directives are placed at global scope (i.e., not within a virtual
+host definition) wherever other global SSL configuration directives are
+placed, such as in <code>conf/extra/httpd-ssl.conf</code> for normal 
+open source builds of httpd, <code>/etc/apache2/mods-enabled/ssl.conf</code>
+for the Ubuntu or Debian-bundled httpd, etc.</p>
+
+<p>The path on the <code class="directive">SSLStaplingCache</code> directive
+(e.g., <code>logs/</code>) should match the one on the 
+<code class="directive">SSLSessionCache</code> directive.  This path is relative
+to <code class="directive">ServerRoot</code>.</p>
+
+<p>The following sections highlight the most common situations which require
+further modification to the configuration.  Refer also to the 
+<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> reference manual.</p>
+
+<h3>If more than a few SSL certificates are used for the server</h3>
+
+<p>OCSP responses are stored in the SSL stapling cache.  While the responses
+are typically a few hundred to a few thousand bytes in size, mod_ssl 
+supports OCSP responses up to around 10K bytes in size.  With more than a 
+few certificates, the stapling cache size (32768 bytes in the example above) 
+may need to be increased.  Error message AH01929 will be logged in case of
+an error storing a response.</p>
+
+
+<h3>If the certificate does not point to an OCSP responder, or if a
+different address must be used</h3>
+
+<p>Refer to the 
+<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingforceurl">SSLStaplingForceURL</a></code> directive.</p>
+
+<p>You can confirm that a server certificate points to an OCSP responder
+using the openssl command-line program, as follows:</p>
+
+<pre>$ openssl x509 -in ./www.example.com.crt -text | grep 'OCSP.*http'
+OCSP - URI:http://ocsp.example.com</pre>
+
+<p>If the OCSP URI is provided and the web server can communicate to it
+directly without using a proxy, no configuration is required.  Note that
+firewall rules that control outbound connections from the web server may
+need to be adjusted.</p>
+
+<p>If no OCSP URI is provided, contact your Certificate Authority to
+determine if one is available; if so, configure it with
+<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingforceurl">SSLStaplingForceURL</a></code> in the virtual
+host that uses the certificate.</p>
+
+
+<h3>If multiple SSL-enabled virtual hosts are configured and OCSP
+Stapling should be disabled for some</h3>
+
+
+<p>Add <code>SSLUseStapling Off</code> to the virtual hosts for which OCSP
+Stapling should be disabled.</p>
+
+
+<h3>If the OCSP responder is slow or unreliable</h3>
+
+<p>Several directives are available to handle timeouts and errors.  Refer
+to the documentation for the
+<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingfaketrylater">SSLStaplingFakeTryLater</a></code>,
+<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingrespondertimeout">SSLStaplingResponderTimeout</a></code>, and
+<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingreturnrespondererrors">SSLStaplingReturnResponderErrors</a></code>
+directives.</p>
+
+
+<h3>If mod_ssl logs error AH02217</h3>
+
+<pre>AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!</pre>
+<p>In order to support OCSP Stapling when a particular server certificate is
+used, the certificate chain for that certificate must be configured.  If it 
+was not configured as part of enabling SSL, the AH02217 error will be issued
+when stapling is enabled, and an OCSP response will not be provided for clients
+using the certificate.</p>
+
+<p>Refer to the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code>
+and <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> for instructions
+for configuring the certificate chain.</p>
+
+
 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">
 <h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2>
diff --git a/docs/manual/ssl/ssl_howto.html.fr b/docs/manual/ssl/ssl_howto.html.fr
index e28e932b37..0f89419abd 100644
--- a/docs/manual/ssl/ssl_howto.html.fr
+++ b/docs/manual/ssl/ssl_howto.html.fr
@@ -24,6 +24,8 @@
 <p><span>Langues Disponibles: </span><a href="../en/ssl/ssl_howto.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
 <a href="../fr/ssl/ssl_howto.html" title="Français">&nbsp;fr&nbsp;</a></p>
 </div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+            anglaise pour les changements récents.</div>
 
 
 <p>Ce document doit vous permettre de démarrer et de faire fonctionner
diff --git a/docs/manual/ssl/ssl_howto.xml.fr b/docs/manual/ssl/ssl_howto.xml.fr
index 0f7f52443c..49ab38ead3 100644
--- a/docs/manual/ssl/ssl_howto.xml.fr
+++ b/docs/manual/ssl/ssl_howto.xml.fr
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="ISO-8859-1" ?>
 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision : 1411510 -->
+<!-- English Revision: 1411510:1633796 (outdated) -->
 <!-- French translation : Lucien GENTIS -->
 <!-- Reviewed by : Vincent Deffontaines -->
 
diff --git a/docs/manual/ssl/ssl_howto.xml.meta b/docs/manual/ssl/ssl_howto.xml.meta
index b7c021fd9a..8d9a5237f4 100644
--- a/docs/manual/ssl/ssl_howto.xml.meta
+++ b/docs/manual/ssl/ssl_howto.xml.meta
@@ -8,6 +8,6 @@
 
   <variants>
     <variant>en</variant>
-    <variant>fr</variant>
+    <variant outdated="yes">fr</variant>
   </variants>
 </metafile>
-- 
2.50.1