Merge pull request #245 from netmanagers/master

Add OCSP Stapling configuration capabilities to Debian

Merge pull request #245 from netmanagers/master
e2462b2c · alxwr · GitHub · 4af4ff59 · 06b1606f · e2462b2c
Unverified Commit e2462b2c authored 6 years ago by alxwr Committed by GitHub 6 years ago
--- a/apache/files/Debian/ssl.conf.jinja
+++ b/apache/files/Debian/ssl.conf.jinja
+#
+# This file is managed by Salt! Do not edit by hand!
+#
 <IfModule mod_ssl.c>
 	# Pseudo Random Number Generator (PRNG):
@@ -81,6 +84,18 @@
 	#   Default: Off
 	#SSLStrictSNIVHostCheck On
+	{% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %}
+	{% if use_stapling == 'On' %}
+	#   Stapling configuration
+	#   Default: Off
+	#
+	#   See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details
+	#   Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+	SSLUseStapling {{ use_stapling }}
+	SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }}
+	SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }}
+	SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }}
+	{% endif %}
 </IfModule>
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/pillar.example
+++ b/pillar.example
@@ -311,6 +311,10 @@ apache:
    SSLCipherSuite: 'HIGH:!aNULL'
    SSLHonorCipherOrder: 'Off'
    SSLProtocol: 'all -SSLv3'
+    SSLUseStapling: 'Off'
+    SSLStaplingResponderTimeout: '5'
+    SSLStaplingReturnResponderErrors: 'Off'
+    SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip: