add OCSP Stapling configuration, disabled by default

author Jeff Trawick <trawick@apache.org>

Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)

committer Jeff Trawick <trawick@apache.org>

Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)
author Jeff Trawick <trawick@apache.org>
Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)
committer Jeff Trawick <trawick@apache.org>
Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)
diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in

index b59fa36b1976a7acfae6290a971fd6ea588f22e8..7110341f608e36aad652bf0e0ea31f686aa624a3 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -73,6 +73,31 @@ SSLPassPhraseDialog  builtin
  SSLSessionCache        "shmcb:ssl_scache(512000)"
  SSLSessionCacheTimeout  300
  
+#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
+#
+#   This feature is disabled by default and requires at least
+#   the two directives SSLUseStapling and SSLStaplingCache.
+#   Refer to the documentation on OCSP Stapling in the SSL/TLS
+#   How-To for more information.
+#
+#   Enable stapling for all SSL-enabled servers:
+#SSLUseStapling On
+
+#   Define a relatively small cache for OCSP Stapling using
+#   the same mechanism that is used for the SSL session cache
+#   above.  If stapling is used with more than a few certificates,
+#   the size may need to be increased.  (AH01929 will be logged.)
+#SSLStaplingCache "shmcb:ssl_stapling(32768)"
+
+#   Override the OCSP responder URL specified in the certificate
+#SSLStaplingForceURL http://ocsp.example.com/
+
+#   Seconds before valid OCSP responses are expired from the cache
+#SSLStaplingStandardCacheTimeout 3600
+
+#   Seconds before invalid OCSP responses are expired from the cache
+#SSLStaplingErrorCacheTimeout 600
+
  ##
  ## SSL Virtual Host Context
  ##
author	Jeff Trawick <trawick@apache.org>
	Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)
committer	Jeff Trawick <trawick@apache.org>
	Thu, 23 Oct 2014 00:59:40 +0000 (00:59 +0000)