From b3fc06ecef18d1d74f2404fccbfbff116dca6308 Mon Sep 17 00:00:00 2001 From: bneradt Date: Tue, 10 Mar 2026 15:31:53 -0500 Subject: [PATCH 1/2] Document OCSP remap requirement Document that ATS 10 and later fetch OCSP responses through FetchSM instead of OpenSSL. Add the remap.config requirement and a Digicert mapping example to the OCSP stapling admin guide section so operators know they must map the responder URL. --- doc/admin-guide/security/index.en.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/admin-guide/security/index.en.rst b/doc/admin-guide/security/index.en.rst index 829392e2425..e018d089b7a 100644 --- a/doc/admin-guide/security/index.en.rst +++ b/doc/admin-guide/security/index.en.rst @@ -334,6 +334,14 @@ Authority Information Access field of the signed certificate. For example:: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt +Before ATS 10, OCSP fetches were handled by OpenSSL. Starting in ATS 10, +|TS| performs the OCSP fetch itself through FetchSM, so the OCSP responder URL +must also be reachable through :file:`remap.config`. For example, if the +certificate points to ``http://ocsp.digicert.com/`` as its OCSP responder, add +the following mapping:: + + map http://ocsp.digicert.com/ http://ocsp.digicert.com/ + |TS| can also use prefetched OCSP stapling responses if ssl_ocsp_name parameter is used in :file:`ssl_multicert.config`. Take into account that when using prefetched OCSP stapling responses, |TS| will not refresh them and it should be done @@ -395,4 +403,3 @@ To configure Split DNS: enabled: 1 #. Run the command :option:`traffic_ctl config reload` to apply the configuration changes. - From d242c486d52af7cfa170e346c5f673df28728ae3 Mon Sep 17 00:00:00 2001 From: bneradt Date: Tue, 10 Mar 2026 15:37:36 -0500 Subject: [PATCH 2/2] Add OCSP note to ATS 10 upgrade guide Add the ATS 10 migration note for OCSP stapling to the upgrade notes as well as the admin guide. This calls out the remap.config requirement for OCSP responder URLs so operators upgrading from ATS 9 do not miss it. --- doc/release-notes/upgrading.en.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/release-notes/upgrading.en.rst b/doc/release-notes/upgrading.en.rst index 5fc96c58186..b7e36941ac1 100644 --- a/doc/release-notes/upgrading.en.rst +++ b/doc/release-notes/upgrading.en.rst @@ -182,6 +182,16 @@ The following :file:`records.yaml` changes have been made: allocating iobuffers and cache volumes from hugepages if configured in the system. - The records.yaml entry ``proxy.config.plugin.compiler_path`` has been added to specify an optional compiler tool path for compiling plugins. +- If OCSP stapling is enabled, ATS 10 and later fetch OCSP responses through + FetchSM instead of OpenSSL. Add the OCSP responder URL from the certificate + to :file:`remap.config`. For example, a certificate that uses + ``http://ocsp.digicert.com/`` needs the following mapping: + + .. code-block:: none + + map http://ocsp.digicert.com/ http://ocsp.digicert.com/ + + See :ref:`admin-ocsp-stapling` for more details. The following changes have been made to the :file:`sni.yaml` file: