From 521a4cabc8c7be9ee466f4ab0177c64501b14991 Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Thu, 30 Oct 2014 14:23:01 +0000 Subject: [PATCH] more hints for OCSP Stapling: * when a different cache mechanism is used... * testing that your server sends an OCSP response git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1635510 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/ssl/ssl_howto.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 66f04dcbd8..aef61bcab3 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -143,6 +143,33 @@ placed, such as in conf/extra/httpd-ssl.conf for normal open source builds of httpd, /etc/apache2/mods-enabled/ssl.conf for the Ubuntu or Debian-bundled httpd, etc.

+

This particular SSLStaplingCache directive requires +mod_socache_shmcb (from the shmcb prefix on the +directive's argument). This module is usually enabled already for +SSLSessionCache or on behalf of some module other than +mod_ssl. If you enabled an SSL session cache using a +mechanism other than mod_socache_shmcb, use that alternative +mechanism for SSLStaplingCache as well. For example:

+ + +SSLSessionCache "dbm:ssl_scache" +SSLStaplingCache "dbm:ssl_stapling" + + +

You can use the openssl command-line program to verify that an OCSP response +is sent by your server:

+ +
+$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
+...
+OCSP response: 
+======================================
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+...
+
+

The following sections highlight the most common situations which require further modification to the configuration. Refer also to the mod_ssl reference manual.

-- 2.40.0