Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 695:2eb83e89b239
Added the OCSP stapling documentation in English.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Tue, 02 Oct 2012 13:44:56 +0000 |
| parents | 764fbac1b8b4 |
| children | 3880034cc90c |
comparison
equal
deleted
inserted
replaced
| 694:2ced25001893 | 695:2eb83e89b239 |
|---|---|
| 195 <default/> | 195 <default/> |
| 196 <context>http</context> | 196 <context>http</context> |
| 197 <context>server</context> | 197 <context>server</context> |
| 198 | 198 |
| 199 <para> | 199 <para> |
| 200 Specifies a file with CA certificates in the PEM format | 200 Specifies a file with a list of CA certificates in the PEM format |
| 201 used for client certificate verification. | 201 used to verify client certificates and |
| 202 OCSP responses if <link id="ssl_stapling"/> is enabled. | |
| 203 </para> | |
| 204 | |
| 205 <para> | |
| 206 The list of certificates will be sent to clients. | |
| 207 If this is not desired, the <link id="ssl_trusted_certificate"/> | |
| 208 directive can be used. | |
| 202 </para> | 209 </para> |
| 203 | 210 |
| 204 </directive> | 211 </directive> |
| 205 | 212 |
| 206 | 213 |
| 346 </para> | 353 </para> |
| 347 | 354 |
| 348 </directive> | 355 </directive> |
| 349 | 356 |
| 350 | 357 |
| 358 <directive name="ssl_stapling"> | |
| 359 <syntax><literal>on</literal> | <literal>off</literal></syntax> | |
| 360 <default>off</default> | |
| 361 <context>http</context> | |
| 362 <context>server</context> | |
| 363 <appeared-in>1.3.7</appeared-in> | |
| 364 | |
| 365 <para> | |
| 366 Enables or disables | |
| 367 <link url="http://tools.ietf.org/html/rfc4366#section-3.6">stapling | |
| 368 of OCSP responses</link> by the server. | |
| 369 Example: | |
| 370 <example> | |
| 371 ssl_stapling on; | |
| 372 resolver 192.0.2.1; | |
| 373 </example> | |
| 374 </para> | |
| 375 | |
| 376 <para> | |
| 377 For the OCSP stapling to work, the certificate of the issuer of the server | |
| 378 certificate should be known. | |
| 379 If the <link id="ssl_certificate">ssl_certificate</link> file does | |
| 380 not contain intermediate certificates, | |
| 381 the certificate of the issuer of the server certificate should be | |
| 382 present in the | |
| 383 <link id="ssl_trusted_certificate">ssl_trusted_certificate</link> file. | |
| 384 </para> | |
| 385 | |
| 386 <para> | |
| 387 The <link doc="ngx_http_core_module.xml" id="resolver"/> directive | |
| 388 should also be specified to allow for a resolution | |
| 389 of an OCSP responder hostname. | |
| 390 </para> | |
| 391 | |
| 392 </directive> | |
| 393 | |
| 394 | |
| 395 <directive name="ssl_stapling_file"> | |
| 396 <syntax><value>file</value></syntax> | |
| 397 <default/> | |
| 398 <context>http</context> | |
| 399 <context>server</context> | |
| 400 <appeared-in>1.3.7</appeared-in> | |
| 401 | |
| 402 <para> | |
| 403 When set, the stapled OCSP response will be taken from the | |
| 404 specified <value>file</value> instead of querying | |
| 405 the OCSP responder specified in the server certificate. | |
| 406 </para> | |
| 407 | |
| 408 <para> | |
| 409 The file should be in the DER format as produced by the | |
| 410 “<literal>openssl ocsp</literal>” command. | |
| 411 </para> | |
| 412 | |
| 413 </directive> | |
| 414 | |
| 415 | |
| 416 <directive name="ssl_stapling_responder"> | |
| 417 <syntax><value>url</value></syntax> | |
| 418 <default/> | |
| 419 <context>http</context> | |
| 420 <context>server</context> | |
| 421 <appeared-in>1.3.7</appeared-in> | |
| 422 | |
| 423 <para> | |
| 424 Overrides the URL of OCSP responder specified in the | |
| 425 “<link url="http://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority | |
| 426 Information Access</link>” certificate extension. | |
| 427 </para> | |
| 428 | |
| 429 <para> | |
| 430 Only “<literal>http://</literal>” OCSP responders are supported: | |
| 431 <example> | |
| 432 ssl_stapling_responder http://ocsp.example.com/; | |
| 433 </example> | |
| 434 </para> | |
| 435 | |
| 436 </directive> | |
| 437 | |
| 438 | |
| 439 <directive name="ssl_stapling_verify"> | |
| 440 <syntax><literal>on</literal> | <literal>off</literal></syntax> | |
| 441 <default>off</default> | |
| 442 <context>http</context> | |
| 443 <context>server</context> | |
| 444 <appeared-in>1.3.7</appeared-in> | |
| 445 | |
| 446 <para> | |
| 447 Enables or disables verification of OCSP responses by the server. | |
| 448 </para> | |
| 449 | |
| 450 <para> | |
| 451 For verification to work, the certificate of the issuer of the server | |
| 452 certificate, the root certificate, and all intermediate certificates | |
| 453 should be configured as trusted using the | |
| 454 <link id="ssl_trusted_certificate"/> directive. | |
| 455 </para> | |
| 456 | |
| 457 </directive> | |
| 458 | |
| 459 | |
| 460 <directive name="ssl_trusted_certificate"> | |
| 461 <syntax><value>file</value></syntax> | |
| 462 <default/> | |
| 463 <context>http</context> | |
| 464 <context>server</context> | |
| 465 <appeared-in>1.3.7</appeared-in> | |
| 466 | |
| 467 <para> | |
| 468 Specifies a file with a list of CA certificates in the PEM format | |
| 469 used to verify client certificates and | |
| 470 OCSP responses if <link id="ssl_stapling"/> is enabled. | |
| 471 </para> | |
| 472 | |
| 473 <para> | |
| 474 In contrast to <link id="ssl_client_certificate"/>, these certificates | |
| 475 will not be sent to clients. | |
| 476 </para> | |
| 477 | |
| 478 </directive> | |
| 479 | |
| 480 | |
| 351 <directive name="ssl_verify_client"> | 481 <directive name="ssl_verify_client"> |
| 352 <syntax> | 482 <syntax> |
| 353 <literal>on</literal> | <literal>off</literal> | | 483 <literal>on</literal> | <literal>off</literal> | |
| 354 <literal>optional</literal></syntax> | 484 <literal>optional</literal></syntax> |
| 355 <default>off</default> | 485 <default>off</default> |