disable OCSP stapling with mod_gnutls unless explicitly enabled with variable _OCSP_RESPONSE, and provide cron script to prefetch files for _OCSP_RESPONSE

author: Jonas Smedegaard <dr@jones.dk> 2020-10-12 19:42:40 +0200
committer: Jonas Smedegaard <dr@jones.dk> 2020-10-12 19:43:04 +0200
commit: 6bc86ae316eb9800eddfd02fa4969e2e9655a51d (patch)
tree: 69a053906604b29aea329f7a23bc0605742fa479 /apache2/conf-available/local-ssl.conf
parent: a2ff481d4e57d636c1392b5ff7eb50fdfc7a09d3 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index a22646c..e35e9ca 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -33,6 +33,13 @@
 		GnuTLSCertificateFile ${_TLS_CERT_CHAIN}
 		GnuTLSKeyFile ${_TLS_KEY}
 	</IfDefine>
+	<IfDefine _OCSP_RESPONSE>
+		GnuTLSOCSPStapling on
+		GnuTLSOCSPResponseFile ${_OCSP_RESPONSE}
+	</IfDefine>
+	<IfDefine !_OCSP_RESPONSE>
+		GnuTLSOCSPStapling off
+	</IfDefine>
 </IfModule>
 
 <IfModule mod_ssl.c>
author	Jonas Smedegaard <dr@jones.dk>	2020-10-12 19:42:40 +0200
committer	Jonas Smedegaard <dr@jones.dk>	2020-10-12 19:43:04 +0200
commit	6bc86ae316eb9800eddfd02fa4969e2e9655a51d (patch)
tree	69a053906604b29aea329f7a23bc0605742fa479 /apache2/conf-available/local-ssl.conf
parent	a2ff481d4e57d636c1392b5ff7eb50fdfc7a09d3 (diff)