From: Grant Slater <git@firefishy.com>
Date: Sat, 11 Oct 2014 18:09:27 +0000 (+0100)
Subject: apache ssl: Do not pass OCSP stapling failures to client
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/55f07b266707be40843e951f5811e0de82b50fb5

apache ssl: Do not pass OCSP stapling failures to client

Do not pass OCSP stapling failures to client.
CA's OCSP servers occionally fail, propagating an error is undesireable and causes Firefox and other clients by default to reject the connection.
---

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 1e9ea31da..07f007c50 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -9,5 +9,6 @@ SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On
+SSLStaplingReturnResponderErrors off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>