trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [2/2] trafficserver git commit: Added OCSP Stapling admin section.
Date Fri, 09 Oct 2015 03:20:49 GMT
Added OCSP Stapling admin section.

This closes #303


Branch: refs/heads/master
Commit: a2328d635caaedc7875c911b91bcdd7c8ab0f90e
Parents: fbf5c66
Author: Steven Feltner <>
Authored: Thu Oct 8 14:51:58 2015 -0700
Committer: James Peach <>
Committed: Thu Oct 8 20:20:06 2015 -0700

 doc/admin/security-options.en.rst | 48 ++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
diff --git a/doc/admin/security-options.en.rst b/doc/admin/security-options.en.rst
index 659facd..c93854c 100644
--- a/doc/admin/security-options.en.rst
+++ b/doc/admin/security-options.en.rst
@@ -275,3 +275,51 @@ a ticket key file as a reverse queue in 48-byte chunks.
 #. Touch :file:`ssl_multicert.config` to indicate that the SSL configuration is stale.
 #. Run the command :option:`traffic_ctl config reload` to apply the new ticket key.
+OCSP Stapling
+OCSP Stapling is an alternative approach to checking the revocation
+status of an SSL certificate using the Online Certificate Status
+Under the original OCSP implementation, clients requested a
+certificate's revocation status directly from the Certificate
+Authority (CA) that issued the certificate.  This could cause
+significant load on the CA servers since they were required to
+provide a response to every client of a given certificate in real
+Enabling OCSP Stapling instructs Traffic Server to retrieve and cache the
+revocation status of all configured SSL certificates, and present them to the
+client when the client requests the status.  Traffic Server will automatically
+query the OCSP responder specified in the SSL certificate to gather the latest
+revocation status.  Traffic Server will then cache the results for each
+configured certifcate.  The location of the OCSP responder is taken from the
+Authority Information Access field of the signed certificate. For example::
+    Authority Information Access:
+                OCSP - URI:
+                CA Issuers - URI:
+Support for OCSP Stapling can be tested using the -status option of the OpenSSL client::
+    $ openssl s_client -connect -status
+    ...
+    ======================================
+    OCSP Response Data:
+        OCSP Response Status: successful (0x0)
+        Response Type: Basic OCSP Response
+        Version: 1 (0x0)
+    ...
+Details of the OCSP Stapling TLS extension can be found in :rfc:`6961`.
+To configure Traffic Server to use OCSP Stapling, edit the following variables
+in :file:`records.config` file:
+* :ts:cv:`proxy.config.ssl.ocsp.enabled`
+* :ts:cv:`proxy.config.ssl.ocsp.cache_timeout`
+* :ts:cv:`proxy.config.ssl.ocsp.request_timeout`
+* :ts:cv:`proxy.config.ssl.ocsp.update_period`

View raw message