From 09432ba64d3931206181c895c845116db8d7e877 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 7 Jan 2021 15:52:58 -0700 Subject: caddytls: Configurable OCSP stapling; global option (closes #3714) Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls. --- modules/caddytls/automation.go | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'modules/caddytls') diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 509ad6e..ed29e06 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -107,6 +107,19 @@ type AutomationPolicy struct { // load. OnDemand bool `json:"on_demand,omitempty"` + // Disables OCSP stapling. Disabling OCSP stapling puts clients at + // greater risk, reduces their privacy, and usually lowers client + // performance. It is NOT recommended to disable this unless you + // are able to justify the costs. + // EXPERIMENTAL. Subject to change. + DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` + + // Overrides the URLs of OCSP responders embedded in certificates. + // Each key is a OCSP server URL to override, and its value is the + // replacement. An empty value will disable querying of that server. + // EXPERIMENTAL. Subject to change. + OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"` + // Issuers stores the decoded issuer parameters. This is only // used to populate an underlying certmagic.Config's Issuers // field; it is not referenced thereafter. @@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { RenewalWindowRatio: ap.RenewalWindowRatio, KeySource: keySource, OnDemand: ond, - Storage: storage, - Issuers: issuers, - Logger: tlsApp.logger, + OCSP: certmagic.OCSPConfig{ + DisableStapling: ap.DisableOCSPStapling, + ResponderOverrides: ap.OCSPOverrides, + }, + Storage: storage, + Issuers: issuers, + Logger: tlsApp.logger, } ap.magic = certmagic.New(tlsApp.certCache, template) -- cgit v1.2.3