apache ssl: Do not pass OCSP stapling failures to client
authorGrant Slater <git@firefishy.com>
Sat, 11 Oct 2014 18:09:27 +0000 (19:09 +0100)
committerGrant Slater <git@firefishy.com>
Sat, 11 Oct 2014 18:09:32 +0000 (19:09 +0100)
Do not pass OCSP stapling failures to client.
CA's OCSP servers occionally fail, propagating an error is undesireable and causes Firefox and other clients by default to reject the connection.

cookbooks/apache/templates/default/ssl.erb

index 1e9ea31da62dc532d9e523f56d5376667ed86a44..07f007c50d3951359f5129f9babbccee22a586a8 100644 (file)
@@ -9,5 +9,6 @@ SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On
+SSLStaplingReturnResponderErrors off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>