You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2014/10/30 15:30:29 UTC
svn commit: r1635512 - in /httpd/httpd/branches/2.4.x: ./
docs/manual/ssl/ssl_howto.xml
Author: trawick
Date: Thu Oct 30 14:30:28 2014
New Revision: 1635512
URL: http://svn.apache.org/r1635512
Log:
merge r1635510 from trunk:
more hints for OCSP Stapling:
* when a different cache mechanism is used...
* testing that your server sends an OCSP response
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1635510
Modified: httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml?rev=1635512&r1=1635511&r2=1635512&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml Thu Oct 30 14:30:28 2014
@@ -150,6 +150,33 @@ for the Ubuntu or Debian-bundled httpd,
<directive>SSLSessionCache</directive> directive. This path is relative
to <directive>ServerRoot</directive>.</p>
+<p>This particular <directive>SSLStaplingCache</directive> directive requires
+<module>mod_socache_shmcb</module> (from the <code>shmcb</code> prefix on the
+directive's argument). This module is usually enabled already for
+<directive>SSLSessionCache</directive> or on behalf of some module other than
+<module>mod_ssl</module>. If you enabled an SSL session cache using a
+mechanism other than <module>mod_socache_shmcb</module>, use that alternative
+mechanism for <directive>SSLStaplingCache</directive> as well. For example:</p>
+
+ <highlight language="config">
+SSLSessionCache "dbm:logs/ssl_scache"
+SSLStaplingCache "dbm:logs/ssl_stapling"
+ </highlight>
+
+<p>You can use the openssl command-line program to verify that an OCSP response
+is sent by your server:</p>
+
+<pre>
+$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
+...
+OCSP response:
+======================================
+OCSP Response Data:
+ OCSP Response Status: successful (0x0)
+ Response Type: Basic OCSP Response
+...
+</pre>
+
<p>The following sections highlight the most common situations which require
further modification to the configuration. Refer also to the
<module>mod_ssl</module> reference manual.</p>