Mercurial > hg > nginx-site
diff xml/en/docs/http/ngx_http_ssl_module.xml @ 2548:ffc4083f5c7e
Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Tue, 19 May 2020 12:43:22 +0100 |
parents | c60a8a15010c |
children | d8bf37d20449 |
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_ssl_module.xml Tue May 19 15:05:49 2020 +0100 +++ b/xml/en/docs/http/ngx_http_ssl_module.xml Tue May 19 12:43:22 2020 +0100 @@ -10,7 +10,7 @@ <module name="Module ngx_http_ssl_module" link="/en/docs/http/ngx_http_ssl_module.html" lang="en" - rev="48"> + rev="49"> <section id="summary"> @@ -401,6 +401,92 @@ </directive> +<directive name="ssl_ocsp"> +<syntax><literal>on</literal> | + <literal>off</literal> | + <literal>leaf</literal></syntax> +<default>off</default> +<context>http</context> +<context>server</context> +<appeared-in>1.19.0</appeared-in> + +<para> +Enables OCSP validation of the client certificate chain. +The <literal>leaf</literal> parameter +enables validation of the client certificate only. +</para> + +<para> +For the OCSP validation to work, +the <link id="ssl_verify_client"/> directive should be set to +<literal>on</literal> or <literal>optional</literal>. +</para> + +<para> +To resolve the OCSP responder hostname, +the <link doc="ngx_http_core_module.xml" id="resolver"/> directive +should also be specified. +</para> + +<para> +Example: +<example> +ssl_verify_client on; +ssl_ocsp on; +resolver 192.0.2.1; +</example> +</para> + +</directive> + + +<directive name="ssl_ocsp_cache"> +<syntax> + <literal>off</literal> | + [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax> +<default>off</default> +<context>http</context> +<context>server</context> +<appeared-in>1.19.0</appeared-in> + +<para> +Sets <literal>name</literal> and <literal>size</literal> of the cache +that stores client certificates status for OCSP validation. +The cache is shared between all worker processes. +A cache with the same name can be used in several virtual servers. +</para> + +<para> +The <literal>off</literal> parameter prohibits the use of the cache. +</para> + +</directive> + + +<directive name="ssl_ocsp_responder"> +<syntax><value>url</value></syntax> +<default/> +<context>http</context> +<context>server</context> +<appeared-in>1.19.0</appeared-in> + +<para> +Overrides the URL of the OCSP responder specified in the +“<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority +Information Access</link>” certificate extension +for <link id="ssl_ocsp">validation</link> of client certificates. +</para> + +<para> +Only “<literal>http://</literal>” OCSP responders are supported: +<example> +ssl_ocsp_responder http://ocsp.example.com/; +</example> +</para> + +</directive> + + <directive name="ssl_password_file"> <syntax><value>file</value></syntax> <default/>