From: Jeff Trawick Date: Thu, 30 Oct 2014 14:30:28 +0000 (+0000) Subject: merge r1635510 from trunk: X-Git-Tag: 2.4.11~210 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b30d83f9acd08e0608bb1a680c6c467ab4e089c;p=thirdparty%2Fapache%2Fhttpd.git merge r1635510 from trunk: more hints for OCSP Stapling: * when a different cache mechanism is used... * testing that your server sends an OCSP response git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1635512 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 7d11ac3bf96..5c580aa84d3 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -150,6 +150,33 @@ for the Ubuntu or Debian-bundled httpd, etc.

SSLSessionCache directive. This path is relative to ServerRoot.

+

This particular SSLStaplingCache directive requires +mod_socache_shmcb (from the shmcb prefix on the +directive's argument). This module is usually enabled already for +SSLSessionCache or on behalf of some module other than +mod_ssl. If you enabled an SSL session cache using a +mechanism other than mod_socache_shmcb, use that alternative +mechanism for SSLStaplingCache as well. For example:

+ + +SSLSessionCache "dbm:logs/ssl_scache" +SSLStaplingCache "dbm:logs/ssl_stapling" + + +

You can use the openssl command-line program to verify that an OCSP response +is sent by your server:

+ +
+$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
+...
+OCSP response: 
+======================================
+OCSP Response Data:
+    OCSP Response Status: successful (0x0)
+    Response Type: Basic OCSP Response
+...
+
+

The following sections highlight the most common situations which require further modification to the configuration. Refer also to the mod_ssl reference manual.