Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 695:2eb83e89b239
Added the OCSP stapling documentation in English.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Tue, 02 Oct 2012 13:44:56 +0000 |
parents | 764fbac1b8b4 |
children | 3880034cc90c |
comparison
equal
deleted
inserted
replaced
694:2ced25001893 | 695:2eb83e89b239 |
---|---|
195 <default/> | 195 <default/> |
196 <context>http</context> | 196 <context>http</context> |
197 <context>server</context> | 197 <context>server</context> |
198 | 198 |
199 <para> | 199 <para> |
200 Specifies a file with CA certificates in the PEM format | 200 Specifies a file with a list of CA certificates in the PEM format |
201 used for client certificate verification. | 201 used to verify client certificates and |
202 OCSP responses if <link id="ssl_stapling"/> is enabled. | |
203 </para> | |
204 | |
205 <para> | |
206 The list of certificates will be sent to clients. | |
207 If this is not desired, the <link id="ssl_trusted_certificate"/> | |
208 directive can be used. | |
202 </para> | 209 </para> |
203 | 210 |
204 </directive> | 211 </directive> |
205 | 212 |
206 | 213 |
346 </para> | 353 </para> |
347 | 354 |
348 </directive> | 355 </directive> |
349 | 356 |
350 | 357 |
358 <directive name="ssl_stapling"> | |
359 <syntax><literal>on</literal> | <literal>off</literal></syntax> | |
360 <default>off</default> | |
361 <context>http</context> | |
362 <context>server</context> | |
363 <appeared-in>1.3.7</appeared-in> | |
364 | |
365 <para> | |
366 Enables or disables | |
367 <link url="http://tools.ietf.org/html/rfc4366#section-3.6">stapling | |
368 of OCSP responses</link> by the server. | |
369 Example: | |
370 <example> | |
371 ssl_stapling on; | |
372 resolver 192.0.2.1; | |
373 </example> | |
374 </para> | |
375 | |
376 <para> | |
377 For the OCSP stapling to work, the certificate of the issuer of the server | |
378 certificate should be known. | |
379 If the <link id="ssl_certificate">ssl_certificate</link> file does | |
380 not contain intermediate certificates, | |
381 the certificate of the issuer of the server certificate should be | |
382 present in the | |
383 <link id="ssl_trusted_certificate">ssl_trusted_certificate</link> file. | |
384 </para> | |
385 | |
386 <para> | |
387 The <link doc="ngx_http_core_module.xml" id="resolver"/> directive | |
388 should also be specified to allow for a resolution | |
389 of an OCSP responder hostname. | |
390 </para> | |
391 | |
392 </directive> | |
393 | |
394 | |
395 <directive name="ssl_stapling_file"> | |
396 <syntax><value>file</value></syntax> | |
397 <default/> | |
398 <context>http</context> | |
399 <context>server</context> | |
400 <appeared-in>1.3.7</appeared-in> | |
401 | |
402 <para> | |
403 When set, the stapled OCSP response will be taken from the | |
404 specified <value>file</value> instead of querying | |
405 the OCSP responder specified in the server certificate. | |
406 </para> | |
407 | |
408 <para> | |
409 The file should be in the DER format as produced by the | |
410 “<literal>openssl ocsp</literal>” command. | |
411 </para> | |
412 | |
413 </directive> | |
414 | |
415 | |
416 <directive name="ssl_stapling_responder"> | |
417 <syntax><value>url</value></syntax> | |
418 <default/> | |
419 <context>http</context> | |
420 <context>server</context> | |
421 <appeared-in>1.3.7</appeared-in> | |
422 | |
423 <para> | |
424 Overrides the URL of OCSP responder specified in the | |
425 “<link url="http://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority | |
426 Information Access</link>” certificate extension. | |
427 </para> | |
428 | |
429 <para> | |
430 Only “<literal>http://</literal>” OCSP responders are supported: | |
431 <example> | |
432 ssl_stapling_responder http://ocsp.example.com/; | |
433 </example> | |
434 </para> | |
435 | |
436 </directive> | |
437 | |
438 | |
439 <directive name="ssl_stapling_verify"> | |
440 <syntax><literal>on</literal> | <literal>off</literal></syntax> | |
441 <default>off</default> | |
442 <context>http</context> | |
443 <context>server</context> | |
444 <appeared-in>1.3.7</appeared-in> | |
445 | |
446 <para> | |
447 Enables or disables verification of OCSP responses by the server. | |
448 </para> | |
449 | |
450 <para> | |
451 For verification to work, the certificate of the issuer of the server | |
452 certificate, the root certificate, and all intermediate certificates | |
453 should be configured as trusted using the | |
454 <link id="ssl_trusted_certificate"/> directive. | |
455 </para> | |
456 | |
457 </directive> | |
458 | |
459 | |
460 <directive name="ssl_trusted_certificate"> | |
461 <syntax><value>file</value></syntax> | |
462 <default/> | |
463 <context>http</context> | |
464 <context>server</context> | |
465 <appeared-in>1.3.7</appeared-in> | |
466 | |
467 <para> | |
468 Specifies a file with a list of CA certificates in the PEM format | |
469 used to verify client certificates and | |
470 OCSP responses if <link id="ssl_stapling"/> is enabled. | |
471 </para> | |
472 | |
473 <para> | |
474 In contrast to <link id="ssl_client_certificate"/>, these certificates | |
475 will not be sent to clients. | |
476 </para> | |
477 | |
478 </directive> | |
479 | |
480 | |
351 <directive name="ssl_verify_client"> | 481 <directive name="ssl_verify_client"> |
352 <syntax> | 482 <syntax> |
353 <literal>on</literal> | <literal>off</literal> | | 483 <literal>on</literal> | <literal>off</literal> | |
354 <literal>optional</literal></syntax> | 484 <literal>optional</literal></syntax> |
355 <default>off</default> | 485 <default>off</default> |