From 9b30d83f9acd08e0608bb1a680c6c467ab4e089c Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Thu, 30 Oct 2014 14:30:28 +0000 Subject: [PATCH] merge r1635510 from trunk: more hints for OCSP Stapling: * when a different cache mechanism is used... * testing that your server sends an OCSP response git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1635512 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/ssl/ssl_howto.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 7d11ac3bf9..5c580aa84d 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -150,6 +150,33 @@ for the Ubuntu or Debian-bundled httpd, etc.

SSLSessionCache directive. This path is relative to ServerRoot.

+

This particular SSLStaplingCache directive requires +mod_socache_shmcb (from the shmcb prefix on the +directive's argument). This module is usually enabled already for +SSLSessionCache or on behalf of some module other than +mod_ssl. If you enabled an SSL session cache using a +mechanism other than mod_socache_shmcb, use that alternative +mechanism for SSLStaplingCache as well. For example:

+ + +SSLSessionCache "dbm:logs/ssl_scache" +SSLStaplingCache "dbm:logs/ssl_stapling" + + +

You can use the openssl command-line program to verify that an OCSP response +is sent by your server:

+ +
+$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
+...
+OCSP response: 
+======================================
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+...
+
+

The following sections highlight the most common situations which require further modification to the configuration. Refer also to the mod_ssl reference manual.

-- 2.50.1