<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Configures the cache used to store OCSP responses which get included
in the TLS handshake if <codeclass="directive"><ahref="#sslusestapling">SSLUseStapling</a></code>
is enabled. Configuration of a cache is mandatory for OCSP stapling.
With the exception of <code>none</code> and <code>nonenotnull</code>,
<tr><th><ahref="directive-dict.html#Description">Description:</a></th><td>Number of seconds before expiring invalid responses in the OCSP stapling cache</td></tr>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Sets the timeout in seconds before <em>invalid</em> responses
in the OCSP stapling cache (configured through <codeclass="directive"><ahref="#sslstaplingcache">SSLStaplingCache</a></code>) will expire.
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>When enabled and a query to an OCSP responder for stapling
purposes fails, mod_ssl will synthesize a "tryLater" response for the
client. Only effective if <codeclass="directive"><ahref="#sslstaplingreturnrespondererrors">SSLStaplingReturnResponderErrors</a></code>
<tr><th><ahref="directive-dict.html#Description">Description:</a></th><td>Override the OCSP responder URI specified in the certificate's AIA extension</td></tr>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This directive overrides the URI of an OCSP responder as obtained from
the authorityInfoAccess (AIA) extension of the certificate.
Of potential use when going through a proxy for retrieving OCSP queries.</p>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the timeout for queries to OCSP responders when
<codeclass="directive"><ahref="#sslusestapling">SSLUseStapling</a></code> is enabled
and mod_ssl is querying a responder for OCSP stapling purposes.</p>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the maximum allowable age ("freshness") when
considering OCSP responses for stapling purposes, i.e. when
<codeclass="directive"><ahref="#sslusestapling">SSLUseStapling</a></code> is turned on.
The default value (<code>-1</code>) does not enforce a maximum age,
which means that OCSP responses are considered valid as long as their
<code>nextUpdate</code> field is in the future.</p>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the maximum allowable time skew when mod_ssl checks the
<code>thisUpdate</code> and <code>nextUpdate</code> fields of OCSP responses
which get included in the TLS handshake (OCSP stapling). Only applicable
if <codeclass="directive"><ahref="#sslusestapling">SSLUseStapling</a></code> is turned on.</p>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>When enabled, mod_ssl will pass responses from unsuccessful
stapling related OCSP queries (such as status errors, expired responses etc.)
on to the client. If set to <code>off</code>, no stapled responses
for failed queries will be included in the TLS handshake.</p>
<tr><th><ahref="directive-dict.html#Description">Description:</a></th><td>Number of seconds before expiring responses in the OCSP stapling cache</td></tr>
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Sets the timeout in seconds before responses in the OCSP stapling cache
(configured through <codeclass="directive"><ahref="#sslstaplingcache">SSLStaplingCache</a></code>)
will expire. This directive applies to <em>valid</em> responses, while
<codeclass="directive"><ahref="#sslstaplingerrorcachetimeout">SSLStaplingErrorCacheTimeout</a></code> is
used for controlling the timeout for invalid/unavailable responses.
<tr><th><ahref="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option enables OCSP stapling, as defined by the "Certificate
Status Request" TLS extension specified in RFC 6066. If enabled (and
requested by the client), mod_ssl will include an OCSP response
for its own certificate in the TLS handshake. Configuring an
<codeclass="directive"><ahref="#sslstaplingcache">SSLStaplingCache</a></code> is a
prerequisite for enabling OCSP stapling.</p>
<p>OCSP stapling relieves the client of querying the OCSP responder
on its own, but it should be noted that in its current specification,
the server's <code>CertificateStatus</code> reply may only include an
OCSP response for a single cert. For server certificates with intermediate
CA certificates in their chain (the typical case nowadays),
stapling in its current form therefore only partially achieves the
stated goal of "saving roundtrips and resources" - see also the <ahref="https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/">
"Adding Multiple TLS Certificate Status Extension requests"</a> Internet draft.
<trclass="odd"><td><ahref="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
<tr><td><ahref="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Whether to allow non-SNI clients to access a name-based virtual
<tr><td><ahref="mod_ssl.html#sslstaplingcache">SSLStaplingCache <em>type</em></a></td><td></td><td>s</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Configures the OCSP stapling cache</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslstaplingerrorcachetimeout">SSLStaplingErrorCacheTimeout <em>seconds</em></a></td><td> 600 </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Number of seconds before expiring invalid responses in the OCSP stapling cache</td></tr>
<tr><td><ahref="mod_ssl.html#sslstaplingfaketrylater">SSLStaplingFakeTryLater on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Synthesize "tryLater" responses for failed OCSP stapling queries</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslstaplingforceurl">SSLStaplingForceURL <em>uri</em></a></td><td></td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Override the OCSP responder URI specified in the certificate's AIA extension</td></tr>
<tr><td><ahref="mod_ssl.html#sslstaplingrespondertimeout">SSLStaplingResponderTimeout <em>seconds</em></a></td><td> 10 </td><td>sv</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Timeout for OCSP stapling queries</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslstaplingresponsemaxage">SSLStaplingResponseMaxAge <em>seconds</em></a></td><td> -1 </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Maximum allowable age for OCSP stapling responses</td></tr>
<tr><td><ahref="mod_ssl.html#sslstaplingresponsetimeskew">SSLStaplingResponseTimeSkew <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Maximum allowable time skew for OCSP stapling response validation</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslstaplingreturnrespondererrors">SSLStaplingReturnResponderErrors on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Pass stapling related OCSP errors on to client</td></tr>
<tr><td><ahref="mod_ssl.html#sslstaplingstandardcachetimeout">SSLStaplingStandardCacheTimeout <em>seconds</em></a></td><td> 3600 </td><td>sv</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Number of seconds before expiring responses in the OCSP stapling cache</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Whether to allow non-SNI clients to access a name-based virtual
host.
</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslusername">SSLUserName <em>varname</em></a></td><td></td><td>sdh</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Variable name to determine user name</td></tr>
<tr><td><ahref="mod_ssl.html#sslusername">SSLUserName <em>varname</em></a></td><td></td><td>sdh</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Variable name to determine user name</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslusestapling">SSLUseStapling on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Enable stapling of OCSP responses in the TLS handshake</td></tr>
<tr><td><ahref="mod_ssl.html#sslverifyclient">SSLVerifyClient <em>level</em></a></td><td> none </td><td>svdh</td><td>E</td></tr><tr><tdclass="descr"colspan="4">Type of Client Certificate verification</td></tr>
<trclass="odd"><td><ahref="mod_ssl.html#sslverifydepth">SSLVerifyDepth <em>number</em></a></td><td> 1 </td><td>svdh</td><td>E</td></tr><trclass="odd"><tdclass="descr"colspan="4">Maximum depth of CA Certificates in Client