From 6bc86ae316eb9800eddfd02fa4969e2e9655a51d Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 12 Oct 2020 19:42:40 +0200
Subject: disable OCSP stapling with mod_gnutls unless explicitly enabled with
 variable _OCSP_RESPONSE, and provide cron script to prefetch files for
 _OCSP_RESPONSE

---
 apache2/conf-available/local-ssl.conf | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'apache2/conf-available/local-ssl.conf')

diff --git a/apache2/conf-available/local-ssl.conf b/apache2/conf-available/local-ssl.conf
index a22646c..e35e9ca 100644
--- a/apache2/conf-available/local-ssl.conf
+++ b/apache2/conf-available/local-ssl.conf
@@ -33,6 +33,13 @@
 		GnuTLSCertificateFile ${_TLS_CERT_CHAIN}
 		GnuTLSKeyFile ${_TLS_KEY}
 	</IfDefine>
+	<IfDefine _OCSP_RESPONSE>
+		GnuTLSOCSPStapling on
+		GnuTLSOCSPResponseFile ${_OCSP_RESPONSE}
+	</IfDefine>
+	<IfDefine !_OCSP_RESPONSE>
+		GnuTLSOCSPStapling off
+	</IfDefine>
 </IfModule>
 
 <IfModule mod_ssl.c>
-- 
cgit v1.2.3