diff --git a/doc/admin-guide/security/index.en.rst b/doc/admin-guide/security/index.en.rst index 829392e2425..e018d089b7a 100644 --- a/doc/admin-guide/security/index.en.rst +++ b/doc/admin-guide/security/index.en.rst @@ -334,6 +334,14 @@ Authority Information Access field of the signed certificate. For example:: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt +Before ATS 10, OCSP fetches were handled by OpenSSL. Starting in ATS 10, +|TS| performs the OCSP fetch itself through FetchSM, so the OCSP responder URL +must also be reachable through :file:`remap.config`. For example, if the +certificate points to ``http://ocsp.digicert.com/`` as its OCSP responder, add +the following mapping:: + + map http://ocsp.digicert.com/ http://ocsp.digicert.com/ + |TS| can also use prefetched OCSP stapling responses if ssl_ocsp_name parameter is used in :file:`ssl_multicert.config`. Take into account that when using prefetched OCSP stapling responses, |TS| will not refresh them and it should be done @@ -395,4 +403,3 @@ To configure Split DNS: enabled: 1 #. Run the command :option:`traffic_ctl config reload` to apply the configuration changes. - diff --git a/doc/release-notes/upgrading.en.rst b/doc/release-notes/upgrading.en.rst index 5fc96c58186..b7e36941ac1 100644 --- a/doc/release-notes/upgrading.en.rst +++ b/doc/release-notes/upgrading.en.rst @@ -182,6 +182,16 @@ The following :file:`records.yaml` changes have been made: allocating iobuffers and cache volumes from hugepages if configured in the system. - The records.yaml entry ``proxy.config.plugin.compiler_path`` has been added to specify an optional compiler tool path for compiling plugins. +- If OCSP stapling is enabled, ATS 10 and later fetch OCSP responses through + FetchSM instead of OpenSSL. Add the OCSP responder URL from the certificate + to :file:`remap.config`. For example, a certificate that uses + ``http://ocsp.digicert.com/`` needs the following mapping: + + .. code-block:: none + + map http://ocsp.digicert.com/ http://ocsp.digicert.com/ + + See :ref:`admin-ocsp-stapling` for more details. The following changes have been made to the :file:`sni.yaml` file: