cross ref ocspcheck in httpd.conf(5)

Tue, 19 Dec 2017 23:44:50 -0800 

I've been playing a bit with OCSP stapling in httpd and found the
documentation a bit lacking / confusing.  httpd says:

      ocsp file
              Specify an OCSP response to be stapled during TLS
              handshakes with this server.  The file should contain a
              DER-format OCSP response retrieved from an OCSP server
              for the certificate in use.  The default is to not use
              OCSP stapling.  If the OSCP response in file is empty,
              OCSP stapling will not be used.

But from this bit of text it's not clear that we have ocspcheck(8) to
create these files.  Only much further down is there a Xr to this
program.  I've added a Xr in the description of the ocsp option to
make this easier to find for the uninitiated.

While there, I was rather surprised that the file argument is relative
to the root of the system, not the chroot of the httpd process.  That
suggests (at least to me) that cron(8)'ing staple updates with
ocspcheck will require an httpd reload.  Why can't that simply be read
from the chroot during runtime, so updates to the file take effect
without a restart?  I have my staple file in the docroot (since I
understand it to be public data), is that a bad idea?

Anyway, thought it prudent to also add some words about this too, but
am less convinced it's correct.

Cheers,

Paul

Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.87
diff -u -p -r1.87 httpd.conf.5
--- httpd.conf.5        29 Nov 2017 16:55:08 -0000      1.87
+++ httpd.conf.5        20 Dec 2017 07:26:20 -0000
@@ -557,10 +557,16 @@ should contain a DER-format OCSP respons
 OCSP server for the
 .Ar certificate
 in use.
+The
+.Xr ocspcheck 8
+utility can be used to create files in the proper format.
 The default is to not use OCSP stapling.
 If the OSCP response in
 .Ar file
 is empty, OCSP stapling will not be used.
+Note that the path to
+.Ar file
+is not relative to the chroot.
 .It Ic protocols Ar string
 Specify the TLS protocols to enable for this server.
 If not specified, the value


-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to