From 06b1606f33ca0345726d27989aa1e6223846ff1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sun, 4 Nov 2018 15:02:55 -0300 Subject: [PATCH] Add OCSP Stapling configuration capabilities to Debian Document Stapling options in pillar.example --- apache/files/Debian/ssl.conf.jinja | 15 +++++++++++++++ pillar.example | 4 ++++ 2 files changed, 19 insertions(+) diff --git a/apache/files/Debian/ssl.conf.jinja b/apache/files/Debian/ssl.conf.jinja index e31946d..ae701d9 100644 --- a/apache/files/Debian/ssl.conf.jinja +++ b/apache/files/Debian/ssl.conf.jinja @@ -1,3 +1,6 @@ +# +# This file is managed by Salt! Do not edit by hand! +# # Pseudo Random Number Generator (PRNG): @@ -81,6 +84,18 @@ # Default: Off #SSLStrictSNIVHostCheck On + {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %} + {% if use_stapling == 'On' %} + # Stapling configuration + # Default: Off + # + # See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details + # Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/ + SSLUseStapling {{ use_stapling }} + SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }} + SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }} + SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} + {% endif %} # vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/pillar.example b/pillar.example index db94b0e..f3039fd 100644 --- a/pillar.example +++ b/pillar.example @@ -311,6 +311,10 @@ apache: SSLCipherSuite: 'HIGH:!aNULL' SSLHonorCipherOrder: 'Off' SSLProtocol: 'all -SSLv3' + SSLUseStapling: 'Off' + SSLStaplingResponderTimeout: '5' + SSLStaplingReturnResponderErrors: 'Off' + SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)' # ``apache.mod_remoteip`` formula additional configuration: mod_remoteip: