From: Jeff Trawick Date: Thu, 23 Oct 2014 12:00:31 +0000 (+0000) Subject: Merge r1632454,1633731,1633793 from trunk: X-Git-Tag: 2.4.11~239 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7727e4b56f2a63992c58cff489fc88e7bd4ef6b1;p=thirdparty%2Fapache%2Fhttpd.git Merge r1632454,1633731,1633793 from trunk: * Add how-to guide for OCSP Stapling * add hint on discovering that OCSP Stapling cache is too small * trying to enable OCSP Stapling without certificate chain (and add 2.4.x-specific hint about the path on the cache) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1633796 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 05ebbb2b277..7d11ac3bf96 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -104,6 +104,128 @@ SSLCipherSuite HIGH:!aNULL:!MD5 +
+OCSP Stapling + +

The Online Certificate Status Protocol (OCSP) is a mechanism for +determining whether or not a server certificate has been revoked, and OCSP +Stapling is a special form of this in which the server, such as httpd and +mod_ssl, maintains current OCSP responses for its certificates and sends +them to clients which communicate with the server. Most certificates +contain the address of an OCSP responder maintained by the issuing +Certificate Authority, and mod_ssl can communicate with that responder to +obtain a signed response that can be sent to clients communicating with +the server.

+ +

Because the client can obtain the certificate revocation status from +the server, without requiring an extra connection from the client to the +Certificate Authority, OCSP Stapling is the preferred way for the +revocation status to be obtained. Other benefits of eliminating the +communication between clients and the Certificate Authority are that the +client browsing history is not exposed to the Certificate Authority and +obtaining status is more reliable by not depending on potentially heavily +loaded Certificate Authority servers.

+ +

Because the response obtained by the server can be reused for all clients +using the same certificate during the time that the response is valid, the +overhead for the server is minimal.

+ +

Once general SSL support has been configured properly, enabling OCSP +Stapling generally requires only very minor modifications to the httpd +configuration — the addition of these two directives:

+ + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" + + +

These directives are placed at global scope (i.e., not within a virtual +host definition) wherever other global SSL configuration directives are +placed, such as in conf/extra/httpd-ssl.conf for normal +open source builds of httpd, /etc/apache2/mods-enabled/ssl.conf +for the Ubuntu or Debian-bundled httpd, etc.

+ +

The path on the SSLStaplingCache directive +(e.g., logs/) should match the one on the +SSLSessionCache directive. This path is relative +to ServerRoot.

+ +

The following sections highlight the most common situations which require +further modification to the configuration. Refer also to the +mod_ssl reference manual.

+ +
+If more than a few SSL certificates are used for the server +

OCSP responses are stored in the SSL stapling cache. While the responses +are typically a few hundred to a few thousand bytes in size, mod_ssl +supports OCSP responses up to around 10K bytes in size. With more than a +few certificates, the stapling cache size (32768 bytes in the example above) +may need to be increased. Error message AH01929 will be logged in case of +an error storing a response.

+
+ +
+If the certificate does not point to an OCSP responder, or if a +different address must be used +

Refer to the +SSLStaplingForceURL directive.

+ +

You can confirm that a server certificate points to an OCSP responder +using the openssl command-line program, as follows:

+ +
+$ openssl x509 -in ./www.example.com.crt -text | grep 'OCSP.*http'
+OCSP - URI:http://ocsp.example.com
+
+ +

If the OCSP URI is provided and the web server can communicate to it +directly without using a proxy, no configuration is required. Note that +firewall rules that control outbound connections from the web server may +need to be adjusted.

+ +

If no OCSP URI is provided, contact your Certificate Authority to +determine if one is available; if so, configure it with +SSLStaplingForceURL in the virtual +host that uses the certificate.

+
+ +
+If multiple SSL-enabled virtual hosts are configured and OCSP +Stapling should be disabled for some + +

Add SSLUseStapling Off to the virtual hosts for which OCSP +Stapling should be disabled.

+
+ +
+If the OCSP responder is slow or unreliable +

Several directives are available to handle timeouts and errors. Refer +to the documentation for the +SSLStaplingFakeTryLater, +SSLStaplingResponderTimeout, and +SSLStaplingReturnResponderErrors +directives.

+
+ +
+If mod_ssl logs error AH02217 +
+AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
+
+

In order to support OCSP Stapling when a particular server certificate is +used, the certificate chain for that certificate must be configured. If it +was not configured as part of enabling SSL, the AH02217 error will be issued +when stapling is enabled, and an OCSP response will not be provided for clients +using the certificate.

+ +

Refer to the SSLCertificateChainFile +and SSLCertificateFile for instructions +for configuring the certificate chain.

+
+ +
+ +
Client Authentication and Access Control