From: Grant Slater <git@firefishy.com>
Date: Sat, 11 Oct 2014 18:09:27 +0000 (+0100)
Subject: apache ssl: Do not pass OCSP stapling failures to client
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/55f07b266707be40843e951f5811e0de82b50fb5?ds=sidebyside

apache ssl: Do not pass OCSP stapling failures to client

Do not pass OCSP stapling failures to client.
CA's OCSP servers occionally fail, propagating an error is undesireable and causes Firefox and other clients by default to reject the connection.
---

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 1e9ea31da..07f007c50 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -9,5 +9,6 @@ SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On
+SSLStaplingReturnResponderErrors off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>