Mercurial > hg > nginx
changeset 4878:695cc88ad649
OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain. This case won't need any extra trusted certificates.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:51:27 +0000 |
parents | f2e450929c1f |
children | 4a804fd04e6c |
files | src/event/ngx_event_openssl_stapling.c |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_stapling.c Mon Oct 01 12:50:36 2012 +0000 +++ b/src/event/ngx_event_openssl_stapling.c Mon Oct 01 12:51:27 2012 +0000 @@ -588,7 +588,7 @@ chain = staple->ssl_ctx->extra_certs; #endif - if (OCSP_basic_verify(basic, chain, store, 0) != 1) { + if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, "OCSP_basic_verify() failed"); goto error;