trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jpe...@apache.org
Subject [2/2] trafficserver git commit: Added OCSP Stapling admin section.
Date Fri, 09 Oct 2015 03:20:49 GMT
Added OCSP Stapling admin section.

This closes #303


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a2328d63
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a2328d63
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a2328d63

Branch: refs/heads/master
Commit: a2328d635caaedc7875c911b91bcdd7c8ab0f90e
Parents: fbf5c66
Author: Steven Feltner <sfeltner@godaddy.com>
Authored: Thu Oct 8 14:51:58 2015 -0700
Committer: James Peach <jpeach@apache.org>
Committed: Thu Oct 8 20:20:06 2015 -0700

----------------------------------------------------------------------
 doc/admin/security-options.en.rst | 48 ++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2328d63/doc/admin/security-options.en.rst
----------------------------------------------------------------------
diff --git a/doc/admin/security-options.en.rst b/doc/admin/security-options.en.rst
index 659facd..c93854c 100644
--- a/doc/admin/security-options.en.rst
+++ b/doc/admin/security-options.en.rst
@@ -275,3 +275,51 @@ a ticket key file as a reverse queue in 48-byte chunks.
 #. Touch :file:`ssl_multicert.config` to indicate that the SSL configuration is stale.
 
 #. Run the command :option:`traffic_ctl config reload` to apply the new ticket key.
+
+OCSP Stapling
+============================================
+
+OCSP Stapling is an alternative approach to checking the revocation
+status of an SSL certificate using the Online Certificate Status
+Protocol.
+
+Under the original OCSP implementation, clients requested a
+certificate's revocation status directly from the Certificate
+Authority (CA) that issued the certificate.  This could cause
+significant load on the CA servers since they were required to
+provide a response to every client of a given certificate in real
+time.
+
+Enabling OCSP Stapling instructs Traffic Server to retrieve and cache the
+revocation status of all configured SSL certificates, and present them to the
+client when the client requests the status.  Traffic Server will automatically
+query the OCSP responder specified in the SSL certificate to gather the latest
+revocation status.  Traffic Server will then cache the results for each
+configured certifcate.  The location of the OCSP responder is taken from the
+Authority Information Access field of the signed certificate. For example::
+
+    Authority Information Access:
+                OCSP - URI:http://ocsp.digicert.com
+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
+
+Support for OCSP Stapling can be tested using the -status option of the OpenSSL client::
+
+    $ openssl s_client -connect mozillalabs.com:443 -status
+    ...
+    ======================================
+    OCSP Response Data:
+        OCSP Response Status: successful (0x0)
+        Response Type: Basic OCSP Response
+        Version: 1 (0x0)
+    ...
+
+Details of the OCSP Stapling TLS extension can be found in :rfc:`6961`.
+
+To configure Traffic Server to use OCSP Stapling, edit the following variables
+in :file:`records.config` file:
+
+* :ts:cv:`proxy.config.ssl.ocsp.enabled`
+* :ts:cv:`proxy.config.ssl.ocsp.cache_timeout`
+* :ts:cv:`proxy.config.ssl.ocsp.request_timeout`
+* :ts:cv:`proxy.config.ssl.ocsp.update_period`
+


Mime
View raw message