disable OCSP stapling with mod_gnutls unless explicitly enabled with variable _OCSP_RESPONSE, and provide cron script to prefetch files for _OCSP_RESPONSE

2 files changed, 24 insertions, 0 deletions

diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index a22646c..e35e9ca 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -33,6 +33,13 @@
 		GnuTLSCertificateFile ${_TLS_CERT_CHAIN}
 		GnuTLSKeyFile ${_TLS_KEY}
 	</IfDefine>
+	<IfDefine _OCSP_RESPONSE>
+		GnuTLSOCSPStapling on
+		GnuTLSOCSPResponseFile ${_OCSP_RESPONSE}
+	</IfDefine>
+	<IfDefine !_OCSP_RESPONSE>
+		GnuTLSOCSPStapling off
+	</IfDefine>
 </IfModule>
 
 <IfModule mod_ssl.c>
diff --git a/apache2/cron-daily/local-apache2-ocsp b/apache2/cron-daily/local-apache2-ocsp
new file mode 100755
index 0000000..95d0ba5
--- /dev/null
+++ b/apache2/cron-daily/local-apache2-ocsp
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# local daily cron script to prefetch OCSP data for apache2 mod_gnutls
+
+set -eu
+
+# collect OCSP responses here
+CACHEDIR=/var/cache/apache2/ocsp
+
+command -v ocsptool > /dev/null || exit 0
+
+mkdir -p "$CACHEDIR"
+chown www-data: "$CACHEDIR"
+
+runuser -u www-data -- \
+	find /etc/ssl/shared -name '*.chain.pem' -exec \
+		sh -c 'stem=$(basename --suffix=.chain.pem '"'{}'"') && ocsptool --ask --no-nonce --load-chain '"'{}'"' --outfile "'"$CACHEDIR"'/$stem.der" > /dev/null 2>&1' ';'