Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 2548:ffc4083f5c7e
Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Tue, 19 May 2020 12:43:22 +0100 |
parents | c60a8a15010c |
children | d8bf37d20449 |
comparison
equal
deleted
inserted
replaced
2547:baf8cbfa3df1 | 2548:ffc4083f5c7e |
---|---|
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> | 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
9 | 9 |
10 <module name="Module ngx_http_ssl_module" | 10 <module name="Module ngx_http_ssl_module" |
11 link="/en/docs/http/ngx_http_ssl_module.html" | 11 link="/en/docs/http/ngx_http_ssl_module.html" |
12 lang="en" | 12 lang="en" |
13 rev="48"> | 13 rev="49"> |
14 | 14 |
15 <section id="summary"> | 15 <section id="summary"> |
16 | 16 |
17 <para> | 17 <para> |
18 The <literal>ngx_http_ssl_module</literal> module provides the | 18 The <literal>ngx_http_ssl_module</literal> module provides the |
399 </para> | 399 </para> |
400 | 400 |
401 </directive> | 401 </directive> |
402 | 402 |
403 | 403 |
404 <directive name="ssl_ocsp"> | |
405 <syntax><literal>on</literal> | | |
406 <literal>off</literal> | | |
407 <literal>leaf</literal></syntax> | |
408 <default>off</default> | |
409 <context>http</context> | |
410 <context>server</context> | |
411 <appeared-in>1.19.0</appeared-in> | |
412 | |
413 <para> | |
414 Enables OCSP validation of the client certificate chain. | |
415 The <literal>leaf</literal> parameter | |
416 enables validation of the client certificate only. | |
417 </para> | |
418 | |
419 <para> | |
420 For the OCSP validation to work, | |
421 the <link id="ssl_verify_client"/> directive should be set to | |
422 <literal>on</literal> or <literal>optional</literal>. | |
423 </para> | |
424 | |
425 <para> | |
426 To resolve the OCSP responder hostname, | |
427 the <link doc="ngx_http_core_module.xml" id="resolver"/> directive | |
428 should also be specified. | |
429 </para> | |
430 | |
431 <para> | |
432 Example: | |
433 <example> | |
434 ssl_verify_client on; | |
435 ssl_ocsp on; | |
436 resolver 192.0.2.1; | |
437 </example> | |
438 </para> | |
439 | |
440 </directive> | |
441 | |
442 | |
443 <directive name="ssl_ocsp_cache"> | |
444 <syntax> | |
445 <literal>off</literal> | | |
446 [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax> | |
447 <default>off</default> | |
448 <context>http</context> | |
449 <context>server</context> | |
450 <appeared-in>1.19.0</appeared-in> | |
451 | |
452 <para> | |
453 Sets <literal>name</literal> and <literal>size</literal> of the cache | |
454 that stores client certificates status for OCSP validation. | |
455 The cache is shared between all worker processes. | |
456 A cache with the same name can be used in several virtual servers. | |
457 </para> | |
458 | |
459 <para> | |
460 The <literal>off</literal> parameter prohibits the use of the cache. | |
461 </para> | |
462 | |
463 </directive> | |
464 | |
465 | |
466 <directive name="ssl_ocsp_responder"> | |
467 <syntax><value>url</value></syntax> | |
468 <default/> | |
469 <context>http</context> | |
470 <context>server</context> | |
471 <appeared-in>1.19.0</appeared-in> | |
472 | |
473 <para> | |
474 Overrides the URL of the OCSP responder specified in the | |
475 “<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority | |
476 Information Access</link>” certificate extension | |
477 for <link id="ssl_ocsp">validation</link> of client certificates. | |
478 </para> | |
479 | |
480 <para> | |
481 Only “<literal>http://</literal>” OCSP responders are supported: | |
482 <example> | |
483 ssl_ocsp_responder http://ocsp.example.com/; | |
484 </example> | |
485 </para> | |
486 | |
487 </directive> | |
488 | |
489 | |
404 <directive name="ssl_password_file"> | 490 <directive name="ssl_password_file"> |
405 <syntax><value>file</value></syntax> | 491 <syntax><value>file</value></syntax> |
406 <default/> | 492 <default/> |
407 <context>http</context> | 493 <context>http</context> |
408 <context>server</context> | 494 <context>server</context> |