From 2250920e1d8506991c97275f1e517e1189c20a2f Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 12 Apr 2021 16:09:02 -0600 Subject: [PATCH] caddytls: Disable OCSP stapling for manual certs (#4064) --- modules/caddytls/tls.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index a0853bae..c111bbba 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -56,6 +56,16 @@ type TLS struct { // Configures the in-memory certificate cache. Cache *CertCacheOptions `json:"cache,omitempty"` + // Disables OCSP stapling for manually-managed certificates only. + // To configure OCSP stapling for automated certificates, use an + // automation policy instead. + // + // Disabling OCSP stapling puts clients at greater risk, reduces their + // privacy, and usually lowers client performance. It is NOT recommended + // to disable this unless you are able to justify the costs. + // EXPERIMENTAL. Subject to change. + DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` + certificateLoaders []CertificateLoader automateNames []string certCache *certmagic.Cache @@ -173,6 +183,9 @@ func (t *TLS) Provision(ctx caddy.Context) error { magic := certmagic.New(t.certCache, certmagic.Config{ Storage: ctx.Storage(), Logger: t.logger, + OCSP: certmagic.OCSPConfig{ + DisableStapling: t.DisableOCSPStapling, + }, }) for _, loader := range t.certificateLoaders { certs, err := loader.LoadCertificates()