Return-Path: 
 <cvs-return-39577-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 054EC975A
	for <apmail-httpd-cvs-archive@www.apache.org>;
 Wed, 21 Sep 2011 16:54:46 +0000 (UTC)
Received: (qmail 12298 invoked by uid 500); 21 Sep 2011 16:54:45 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 12212 invoked by uid 500); 21 Sep 2011 16:54:44 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 12203 invoked by uid 99); 21 Sep 2011 16:54:44 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 16:54:44 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 16:54:41 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id AA82C238888F;
	Wed, 21 Sep 2011 16:54:19 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1173755 - in /httpd/httpd/trunk/docs/manual:
 mod/mod_ssl.xml
 upgrading.xml
Date: Wed, 21 Sep 2011 16:54:19 -0000
To: cvs@httpd.apache.org
From: kbrand@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20110921165419.AA82C238888F@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: kbrand
Date: Wed Sep 21 16:54:18 2011
New Revision: 1173755

URL: http://svn.apache.org/viewvc?rev=1173755&view=rev
Log:
mod_ssl:
- document the SSLStapling* directives (code committed in
  r829619 for 2.2.3, see PR 43822)
- add SSLCARevocationCheck to the list of configuration changes
  in the 2.4 upgrade notes.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/docs/manual/upgrading.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1173755&r1=1173754&r2=1173755&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Sep 21 16:54:18 2011
@@ -431,7 +431,7 @@ up to four parallel requests are common)
 <em>different</em> pre-forked server processes. Here an inter-process cache
 helps to avoid unnecessary session handshakes.</p>
 <p>
-The following four storage <em>type</em>s are currently supported:</p>
+The following five storage <em>type</em>s are currently supported:</p>
 <ul>
 <li><code>none</code>
 
@@ -2084,4 +2084,190 @@ supported for a given SSL connection.</p
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLUseStapling</name>
+<description>Enable stapling of OCSP responses in the TLS handshake</description>
+<syntax>SSLUseStapling on|off</syntax>
+<default>SSLUseStapling off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>This option enables OCSP stapling, as defined by the "Certificate
+Status Request" TLS extension specified in RFC 6066. If enabled (and
+requested by the client), mod_ssl will include an OCSP response
+for its own certificate in the TLS handshake. Configuring an
+<directive module="mod_ssl">SSLStaplingCache</directive> is a
+prerequisite for enabling OCSP stapling.</p>
+
+<p>OCSP stapling relieves the client of querying the OCSP responder
+on its own, but it should be noted that in its current specification,
+the server's <code>CertificateStatus</code> reply may only include an
+OCSP response for a single cert. For server certificates with intermediate
+CA certificates in their chain (the typical case nowadays),
+stapling in its current form therefore only partially achieves the
+stated goal of "saving roundtrips and resources" - see also the <a
+href="https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/">
+"Adding Multiple TLS Certificate Status Extension requests"</a> Internet draft.
+</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingCache</name>
+<description>Configures the OCSP stapling cache</description>
+<syntax>SSLStaplingCache <em>type</em></syntax>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>Configures the cache used to store OCSP responses which get included
+in the TLS handshake if <directive module="mod_ssl">SSLUseStapling</directive>
+is enabled. Configuration of a cache is mandatory for OCSP stapling.
+With the exception of <code>none</code> and <code>nonenotnull</code>,
+the same storage types are supported as with
+<directive module="mod_ssl">SSLSessionCache</directive>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingResponseTimeSkew</name>
+<description>Maximum allowable time skew for OCSP stapling response validation</description>
+<syntax>SSLStaplingResponseTimeSkew <em>seconds</em></syntax>
+<default>SSLStaplingResponseTimeSkew 300</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable time skew when mod_ssl checks the
+<code>thisUpdate</code> and <code>nextUpdate</code> fields of OCSP responses
+which get included in the TLS handshake (OCSP stapling). Only applicable
+if <directive module="mod_ssl">SSLUseStapling</directive> is turned on.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingResponderTimeout</name>
+<description>Timeout for OCSP stapling queries</description>
+<syntax>SSLStaplingResponderTimeout <em>seconds</em></syntax>
+<default>SSLStaplingResponderTimeout 10</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>This option sets the timeout for queries to OCSP responders when
+<directive module="mod_ssl">SSLUseStapling</directive> is enabled
+and mod_ssl is querying a responder for OCSP stapling purposes.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingResponseMaxAge</name>
+<description>Maximum allowable age for OCSP stapling responses</description>
+<syntax>SSLStaplingResponseMaxAge <em>seconds</em></syntax>
+<default>SSLStaplingResponseMaxAge -1</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable age ("freshness") when
+considering OCSP responses for stapling purposes, i.e. when
+<directive module="mod_ssl">SSLUseStapling</directive> is turned on.
+The default value (<code>-1</code>) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+<code>nextUpdate</code> field is in the future.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingStandardCacheTimeout</name>
+<description>Number of seconds before expiring responses in the OCSP stapling cache</description>
+<syntax>SSLStaplingStandardCacheTimeout <em>seconds</em></syntax>
+<default>SSLStaplingStandardCacheTimeout 3600</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>Sets the timeout in seconds before responses in the OCSP stapling cache
+(configured through <directive module="mod_ssl">SSLStaplingCache</directive>)
+will expire. This directive applies to <em>valid</em> responses, while
+<directive module="mod_ssl">SSLStaplingErrorCacheTimeout</directive> is
+used for controlling the timeout for invalid/unavailable responses.
+</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingReturnResponderErrors</name>
+<description>Pass stapling related OCSP errors on to client</description>
+<syntax>SSLStaplingReturnResponderErrors on|off</syntax>
+<default>SSLStaplingReturnResponderErrors on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>When enabled, mod_ssl will pass responses from unsuccessful
+stapling related OCSP queries (such as status errors, expired responses etc.)
+on to the client. If set to <code>off</code>, no stapled responses
+for failed queries will be included in the TLS handshake.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingFakeTryLater</name>
+<description>Synthesize "tryLater" responses for failed OCSP stapling queries</description>
+<syntax>SSLStaplingFakeTryLater on|off</syntax>
+<default>SSLStaplingFakeTryLater on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>When enabled and a query to an OCSP responder for stapling
+purposes fails, mod_ssl will synthesize a "tryLater" response for the
+client. Only effective if <directive
+module="mod_ssl">SSLStaplingReturnResponderErrors</directive>
+is also enabled.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingErrorCacheTimeout</name>
+<description>Number of seconds before expiring invalid responses in the OCSP stapling cache</description>
+<syntax>SSLStaplingErrorCacheTimeout <em>seconds</em></syntax>
+<default>SSLStaplingErrorCacheTimeout 600</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>Sets the timeout in seconds before <em>invalid</em> responses
+in the OCSP stapling cache (configured through <directive
+module="mod_ssl">SSLStaplingCache</directive>) will expire.
+To set the cache timeout for valid responses, see
+<directive module="mod_ssl">SSLStaplingStandardCacheTimeout</directive>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLStaplingForceURL</name>
+<description>Override the OCSP responder URI specified in the certificate's AIA extension</description>
+<syntax>SSLStaplingForceURL <em>uri</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</compatibility>
+
+<usage>
+<p>This directive overrides the URI of an OCSP responder as obtained from
+the authorityInfoAccess (AIA) extension of the certificate.
+Of potential use when going through a proxy for retrieving OCSP queries.</p>
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

Modified: httpd/httpd/trunk/docs/manual/upgrading.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/upgrading.xml?rev=1173755&r1=1173754&r2=1173755&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/upgrading.xml (original)
+++ httpd/httpd/trunk/docs/manual/upgrading.xml Wed Sep 21 16:54:18 2011
@@ -256,6 +256,12 @@
         option has been removed in favour of per-module <directive
         module="core">LogLevel</directive> configuration.
         </li>
+
+        <li><module>mod_ssl</module>: CRL based revocation checking
+        now needs to be explicitly configured through <directive
+        module="mod_ssl">SSLCARevocationCheck</directive>.
+        </li>
+
       </ul>
     </section>
   </section>