On Wed, Dec 20, 2017 at 08:43:35AM +0100, Paul de Weerd wrote:
> I've been playing a bit with OCSP stapling in httpd and found the
> documentation a bit lacking / confusing.  httpd says:
> 
>       ocsp file
>               Specify an OCSP response to be stapled during TLS
>               handshakes with this server.  The file should contain a
>               DER-format OCSP response retrieved from an OCSP server
>               for the certificate in use.  The default is to not use
>               OCSP stapling.  If the OSCP response in file is empty,
>               OCSP stapling will not be used.
> 
> But from this bit of text it's not clear that we have ocspcheck(8) to
> create these files.  Only much further down is there a Xr to this
> program.  I've added a Xr in the description of the ocsp option to
> make this easier to find for the uninitiated.
> 
> While there, I was rather surprised that the file argument is relative
> to the root of the system, not the chroot of the httpd process.  That
> suggests (at least to me) that cron(8)'ing staple updates with
> ocspcheck will require an httpd reload.  Why can't that simply be read
> from the chroot during runtime, so updates to the file take effect
> without a restart?  I have my staple file in the docroot (since I
> understand it to be public data), is that a bad idea?
> 
> Anyway, thought it prudent to also add some words about this too, but
> am less convinced it's correct.
> 
> Cheers,
> 
> Paul
> 

a tweaked version of this diff committed.

thanks,
jmc

> Index: httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.87
> diff -u -p -r1.87 httpd.conf.5
> --- httpd.conf.5      29 Nov 2017 16:55:08 -0000      1.87
> +++ httpd.conf.5      20 Dec 2017 07:26:20 -0000
> @@ -557,10 +557,16 @@ should contain a DER-format OCSP respons
>  OCSP server for the
>  .Ar certificate
>  in use.
> +The
> +.Xr ocspcheck 8
> +utility can be used to create files in the proper format.
>  The default is to not use OCSP stapling.
>  If the OSCP response in
>  .Ar file
>  is empty, OCSP stapling will not be used.
> +Note that the path to
> +.Ar file
> +is not relative to the chroot.
>  .It Ic protocols Ar string
>  Specify the TLS protocols to enable for this server.
>  If not specified, the value
> 
> 
> -- 
> >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
> +++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
>                  http://www.weirdnet.nl/                 
> 

Reply via email to