Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4878:695cc88ad649
OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain. This case won't need any extra trusted certificates.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:51:27 +0000 |
parents | 1a008f968f6d |
children | 4a804fd04e6c |
comparison
equal
deleted
inserted
replaced
4877:f2e450929c1f | 4878:695cc88ad649 |
---|---|
586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
587 #else | 587 #else |
588 chain = staple->ssl_ctx->extra_certs; | 588 chain = staple->ssl_ctx->extra_certs; |
589 #endif | 589 #endif |
590 | 590 |
591 if (OCSP_basic_verify(basic, chain, store, 0) != 1) { | 591 if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { |
592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
593 "OCSP_basic_verify() failed"); | 593 "OCSP_basic_verify() failed"); |
594 goto error; | 594 goto error; |
595 } | 595 } |
596 | 596 |