From 55f07b266707be40843e951f5811e0de82b50fb5 Mon Sep 17 00:00:00 2001
From: Grant Slater <git@firefishy.com>
Date: Sat, 11 Oct 2014 19:09:27 +0100
Subject: [PATCH] apache ssl: Do not pass OCSP stapling failures to client

Do not pass OCSP stapling failures to client.
CA's OCSP servers occionally fail, propagating an error is undesireable and causes Firefox and other clients by default to reject the connection.
---
 cookbooks/apache/templates/default/ssl.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 1e9ea31da..07f007c50 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -9,5 +9,6 @@ SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On
+SSLStaplingReturnResponderErrors off
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>
-- 
2.43.2