Return-Path:
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id 054EC975A
for ;
Wed, 21 Sep 2011 16:54:46 +0000 (UTC)
Received: (qmail 12298 invoked by uid 500); 21 Sep 2011 16:54:45 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 12212 invoked by uid 500); 21 Sep 2011 16:54:44 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 12203 invoked by uid 99); 21 Sep 2011 16:54:44 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 16:54:44 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 16:54:41 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
by eris.apache.org (Postfix) with ESMTP id AA82C238888F;
Wed, 21 Sep 2011 16:54:19 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1173755 - in /httpd/httpd/trunk/docs/manual:
mod/mod_ssl.xml
upgrading.xml
Date: Wed, 21 Sep 2011 16:54:19 -0000
To: cvs@httpd.apache.org
From: kbrand@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20110921165419.AA82C238888F@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: kbrand
Date: Wed Sep 21 16:54:18 2011
New Revision: 1173755
URL: http://svn.apache.org/viewvc?rev=1173755&view=rev
Log:
mod_ssl:
- document the SSLStapling* directives (code committed in
r829619 for 2.2.3, see PR 43822)
- add SSLCARevocationCheck to the list of configuration changes
in the 2.4 upgrade notes.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/docs/manual/upgrading.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1173755&r1=1173754&r2=1173755&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Sep 21 16:54:18 2011
@@ -431,7 +431,7 @@ up to four parallel requests are common)
different pre-forked server processes. Here an inter-process cache
helps to avoid unnecessary session handshakes.
-The following four storage types are currently supported:
+The following five storage types are currently supported:
none
@@ -2084,4 +2084,190 @@ supported for a given SSL connection.
+
+SSLUseStapling
+Enable stapling of OCSP responses in the TLS handshake
+SSLUseStapling on|off
+SSLUseStapling off
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+This option enables OCSP stapling, as defined by the "Certificate
+Status Request" TLS extension specified in RFC 6066. If enabled (and
+requested by the client), mod_ssl will include an OCSP response
+for its own certificate in the TLS handshake. Configuring an
+SSLStaplingCache is a
+prerequisite for enabling OCSP stapling.
+
+OCSP stapling relieves the client of querying the OCSP responder
+on its own, but it should be noted that in its current specification,
+the server's CertificateStatus
reply may only include an
+OCSP response for a single cert. For server certificates with intermediate
+CA certificates in their chain (the typical case nowadays),
+stapling in its current form therefore only partially achieves the
+stated goal of "saving roundtrips and resources" - see also the
+"Adding Multiple TLS Certificate Status Extension requests" Internet draft.
+
+
+
+
+
+SSLStaplingCache
+Configures the OCSP stapling cache
+SSLStaplingCache type
+server config
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+Configures the cache used to store OCSP responses which get included
+in the TLS handshake if SSLUseStapling
+is enabled. Configuration of a cache is mandatory for OCSP stapling.
+With the exception of none
and nonenotnull
,
+the same storage types are supported as with
+SSLSessionCache.
+
+
+
+
+SSLStaplingResponseTimeSkew
+Maximum allowable time skew for OCSP stapling response validation
+SSLStaplingResponseTimeSkew seconds
+SSLStaplingResponseTimeSkew 300
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+This option sets the maximum allowable time skew when mod_ssl checks the
+thisUpdate
and nextUpdate
fields of OCSP responses
+which get included in the TLS handshake (OCSP stapling). Only applicable
+if SSLUseStapling is turned on.
+
+
+
+
+SSLStaplingResponderTimeout
+Timeout for OCSP stapling queries
+SSLStaplingResponderTimeout seconds
+SSLStaplingResponderTimeout 10
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+This option sets the timeout for queries to OCSP responders when
+SSLUseStapling is enabled
+and mod_ssl is querying a responder for OCSP stapling purposes.
+
+
+
+
+SSLStaplingResponseMaxAge
+Maximum allowable age for OCSP stapling responses
+SSLStaplingResponseMaxAge seconds
+SSLStaplingResponseMaxAge -1
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+This option sets the maximum allowable age ("freshness") when
+considering OCSP responses for stapling purposes, i.e. when
+SSLUseStapling is turned on.
+The default value (-1
) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+nextUpdate
field is in the future.
+
+
+
+
+SSLStaplingStandardCacheTimeout
+Number of seconds before expiring responses in the OCSP stapling cache
+SSLStaplingStandardCacheTimeout seconds
+SSLStaplingStandardCacheTimeout 3600
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+Sets the timeout in seconds before responses in the OCSP stapling cache
+(configured through SSLStaplingCache)
+will expire. This directive applies to valid responses, while
+SSLStaplingErrorCacheTimeout is
+used for controlling the timeout for invalid/unavailable responses.
+
+
+
+
+
+SSLStaplingReturnResponderErrors
+Pass stapling related OCSP errors on to client
+SSLStaplingReturnResponderErrors on|off
+SSLStaplingReturnResponderErrors on
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+When enabled, mod_ssl will pass responses from unsuccessful
+stapling related OCSP queries (such as status errors, expired responses etc.)
+on to the client. If set to off
, no stapled responses
+for failed queries will be included in the TLS handshake.
+
+
+
+
+SSLStaplingFakeTryLater
+Synthesize "tryLater" responses for failed OCSP stapling queries
+SSLStaplingFakeTryLater on|off
+SSLStaplingFakeTryLater on
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+When enabled and a query to an OCSP responder for stapling
+purposes fails, mod_ssl will synthesize a "tryLater" response for the
+client. Only effective if SSLStaplingReturnResponderErrors
+is also enabled.
+
+
+
+
+SSLStaplingErrorCacheTimeout
+Number of seconds before expiring invalid responses in the OCSP stapling cache
+SSLStaplingErrorCacheTimeout seconds
+SSLStaplingErrorCacheTimeout 600
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+Sets the timeout in seconds before invalid responses
+in the OCSP stapling cache (configured through SSLStaplingCache) will expire.
+To set the cache timeout for valid responses, see
+SSLStaplingStandardCacheTimeout.
+
+
+
+
+SSLStaplingForceURL
+Override the OCSP responder URI specified in the certificate's AIA extension
+SSLStaplingForceURL uri
+server config
+virtual host
+Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+
+
+This directive overrides the URI of an OCSP responder as obtained from
+the authorityInfoAccess (AIA) extension of the certificate.
+Of potential use when going through a proxy for retrieving OCSP queries.
+
+
+
Modified: httpd/httpd/trunk/docs/manual/upgrading.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/upgrading.xml?rev=1173755&r1=1173754&r2=1173755&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/upgrading.xml (original)
+++ httpd/httpd/trunk/docs/manual/upgrading.xml Wed Sep 21 16:54:18 2011
@@ -256,6 +256,12 @@
option has been removed in favour of per-module LogLevel configuration.
+
+ - mod_ssl: CRL based revocation checking
+ now needs to be explicitly configured through SSLCARevocationCheck.
+
+