Mercurial > hg > nginx-site

comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 2548:ffc4083f5c7e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Documented ssl_ocsp, ssl_ocsp_cache, ssl_ocsp_responder directives.
author Yaroslav Zhuravlev <yar@nginx.com>
date Tue, 19 May 2020 12:43:22 +0100
parents c60a8a15010c
children d8bf37d20449
comparison
equal deleted inserted replaced
2547:baf8cbfa3df1 2548:ffc4083f5c7e
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
9 9
10 <module name="Module ngx_http_ssl_module" 10 <module name="Module ngx_http_ssl_module"
11 link="/en/docs/http/ngx_http_ssl_module.html" 11 link="/en/docs/http/ngx_http_ssl_module.html"
12 lang="en" 12 lang="en"
13 rev="48"> 13 rev="49">
14 14
15 <section id="summary"> 15 <section id="summary">
16 16
17 <para> 17 <para>
18 The <literal>ngx_http_ssl_module</literal> module provides the 18 The <literal>ngx_http_ssl_module</literal> module provides the
399 </para> 399 </para>
400 400
401 </directive> 401 </directive>
402 402
403 403
404 <directive name="ssl_ocsp">
405 <syntax><literal>on</literal> |
406 <literal>off</literal> |
407 <literal>leaf</literal></syntax>
408 <default>off</default>
409 <context>http</context>
410 <context>server</context>
411 <appeared-in>1.19.0</appeared-in>
412
413 <para>
414 Enables OCSP validation of the client certificate chain.
415 The <literal>leaf</literal> parameter
416 enables validation of the client certificate only.
417 </para>
418
419 <para>
420 For the OCSP validation to work,
421 the <link id="ssl_verify_client"/> directive should be set to
422 <literal>on</literal> or <literal>optional</literal>.
423 </para>
424
425 <para>
426 To resolve the OCSP responder hostname,
427 the <link doc="ngx_http_core_module.xml" id="resolver"/> directive
428 should also be specified.
429 </para>
430
431 <para>
432 Example:
433 <example>
434 ssl_verify_client on;
435 ssl_ocsp on;
436 resolver 192.0.2.1;
437 </example>
438 </para>
439
440 </directive>
441
442
443 <directive name="ssl_ocsp_cache">
444 <syntax>
445 <literal>off</literal> |
446 [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
447 <default>off</default>
448 <context>http</context>
449 <context>server</context>
450 <appeared-in>1.19.0</appeared-in>
451
452 <para>
453 Sets <literal>name</literal> and <literal>size</literal> of the cache
454 that stores client certificates status for OCSP validation.
455 The cache is shared between all worker processes.
456 A cache with the same name can be used in several virtual servers.
457 </para>
458
459 <para>
460 The <literal>off</literal> parameter prohibits the use of the cache.
461 </para>
462
463 </directive>
464
465
466 <directive name="ssl_ocsp_responder">
467 <syntax><value>url</value></syntax>
468 <default/>
469 <context>http</context>
470 <context>server</context>
471 <appeared-in>1.19.0</appeared-in>
472
473 <para>
474 Overrides the URL of the OCSP responder specified in the
475 “<link url="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority
476 Information Access</link>” certificate extension
477 for <link id="ssl_ocsp">validation</link> of client certificates.
478 </para>
479
480 <para>
481 Only “<literal>http://</literal>” OCSP responders are supported:
482 <example>
483 ssl_ocsp_responder http://ocsp.example.com/;
484 </example>
485 </para>
486
487 </directive>
488
489
404 <directive name="ssl_password_file"> 490 <directive name="ssl_password_file">
405 <syntax><value>file</value></syntax> 491 <syntax><value>file</value></syntax>
406 <default/> 492 <default/>
407 <context>http</context> 493 <context>http</context>
408 <context>server</context> 494 <context>server</context>