Add OCSP Stapling configuration capabilities to Debian

Document Stapling options in pillar.example

Add OCSP Stapling configuration capabilities to Debian
06b1606f · Javier Bértoli · 79673343 · 06b1606f · 06b1606f
Commit 06b1606f authored 6 years ago by Javier Bértoli
--- a/apache/files/Debian/ssl.conf.jinja
+++ b/apache/files/Debian/ssl.conf.jinja
+#
+# This file is managed by Salt! Do not edit by hand!
+#
 <IfModule mod_ssl.c>

 	# Pseudo Random Number Generator (PRNG):
@@ -81,6 +84,18 @@
 	#   Default: Off
 	#SSLStrictSNIVHostCheck On

+	{% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %}
+	{% if use_stapling == 'On' %}
+	#   Stapling configuration
+	#   Default: Off
+	#
+	#   See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details
+	#   Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+	SSLUseStapling {{ use_stapling }}
+	SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }}
+	SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }}
+	SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }}
+	{% endif %}
 </IfModule>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/pillar.example
+++ b/pillar.example
@@ -311,6 +311,10 @@ apache:
    SSLCipherSuite: 'HIGH:!aNULL'
    SSLHonorCipherOrder: 'Off'
    SSLProtocol: 'all -SSLv3'
+    SSLUseStapling: 'Off'
+    SSLStaplingResponderTimeout: '5'
+    SSLStaplingReturnResponderErrors: 'Off'
+    SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip: