From: Jeff Trawick <trawick@apache.org>
Date: Thu, 23 Oct 2014 00:59:40 +0000 (+0000)
Subject: add OCSP Stapling configuration, disabled by default
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3d3c06480db1168f0be4728bb9de83791a7f9d9;p=thirdparty%2Fapache%2Fhttpd.git

add OCSP Stapling configuration, disabled by default

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1633730 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index b59fa36b197..7110341f608 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -73,6 +73,31 @@ SSLPassPhraseDialog  builtin
 SSLSessionCache        "shmcb:ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 
+#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
+#
+#   This feature is disabled by default and requires at least
+#   the two directives SSLUseStapling and SSLStaplingCache.
+#   Refer to the documentation on OCSP Stapling in the SSL/TLS
+#   How-To for more information.
+#
+#   Enable stapling for all SSL-enabled servers:
+#SSLUseStapling On
+
+#   Define a relatively small cache for OCSP Stapling using
+#   the same mechanism that is used for the SSL session cache
+#   above.  If stapling is used with more than a few certificates,
+#   the size may need to be increased.  (AH01929 will be logged.)
+#SSLStaplingCache "shmcb:ssl_stapling(32768)"
+
+#   Override the OCSP responder URL specified in the certificate
+#SSLStaplingForceURL http://ocsp.example.com/
+
+#   Seconds before valid OCSP responses are expired from the cache
+#SSLStaplingStandardCacheTimeout 3600
+
+#   Seconds before invalid OCSP responses are expired from the cache
+#SSLStaplingErrorCacheTimeout 600
+
 ##
 ## SSL Virtual Host Context
 ##