diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2020-10-12 19:42:40 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2020-10-12 19:43:04 +0200 |
| commit | 6bc86ae316eb9800eddfd02fa4969e2e9655a51d (patch) | |
| tree | 69a053906604b29aea329f7a23bc0605742fa479 /apache2/cron-daily/local-apache2-ocsp | |
| parent | a2ff481d4e57d636c1392b5ff7eb50fdfc7a09d3 (diff) | |
disable OCSP stapling with mod_gnutls unless explicitly enabled with variable _OCSP_RESPONSE, and provide cron script to prefetch files for _OCSP_RESPONSE
Diffstat (limited to 'apache2/cron-daily/local-apache2-ocsp')
| -rwxr-xr-x | apache2/cron-daily/local-apache2-ocsp | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/apache2/cron-daily/local-apache2-ocsp b/apache2/cron-daily/local-apache2-ocsp new file mode 100755 index 0000000..95d0ba5 --- /dev/null +++ b/apache2/cron-daily/local-apache2-ocsp @@ -0,0 +1,17 @@ +#!/bin/sh +# +# local daily cron script to prefetch OCSP data for apache2 mod_gnutls + +set -eu + +# collect OCSP responses here +CACHEDIR=/var/cache/apache2/ocsp + +command -v ocsptool > /dev/null || exit 0 + +mkdir -p "$CACHEDIR" +chown www-data: "$CACHEDIR" + +runuser -u www-data -- \ + find /etc/ssl/shared -name '*.chain.pem' -exec \ + sh -c 'stem=$(basename --suffix=.chain.pem '"'{}'"') && ocsptool --ask --no-nonce --load-chain '"'{}'"' --outfile "'"$CACHEDIR"'/$stem.der" > /dev/null 2>&1' ';' |