From 06b1606f33ca0345726d27989aa1e6223846ff1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sun, 4 Nov 2018 15:02:55 -0300
Subject: [PATCH] Add OCSP Stapling configuration capabilities to Debian
Document Stapling options in pillar.example
---
apache/files/Debian/ssl.conf.jinja | 15 +++++++++++++++
pillar.example | 4 ++++
2 files changed, 19 insertions(+)
diff --git a/apache/files/Debian/ssl.conf.jinja b/apache/files/Debian/ssl.conf.jinja
index e31946d..ae701d9 100644
--- a/apache/files/Debian/ssl.conf.jinja
+++ b/apache/files/Debian/ssl.conf.jinja
@@ -1,3 +1,6 @@
+#
+# This file is managed by Salt! Do not edit by hand!
+#
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
@@ -81,6 +84,18 @@
# Default: Off
#SSLStrictSNIVHostCheck On
+ {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %}
+ {% if use_stapling == 'On' %}
+ # Stapling configuration
+ # Default: Off
+ #
+ # See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details
+ # Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ SSLUseStapling {{ use_stapling }}
+ SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }}
+ SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }}
+ SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }}
+ {% endif %}
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/pillar.example b/pillar.example
index db94b0e..f3039fd 100644
--- a/pillar.example
+++ b/pillar.example
@@ -311,6 +311,10 @@ apache:
SSLCipherSuite: 'HIGH:!aNULL'
SSLHonorCipherOrder: 'Off'
SSLProtocol: 'all -SSLv3'
+ SSLUseStapling: 'Off'
+ SSLStaplingResponderTimeout: '5'
+ SSLStaplingReturnResponderErrors: 'Off'
+ SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
# ``apache.mod_remoteip`` formula additional configuration:
mod_remoteip:
--
GitLab