Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4878:695cc88ad649
OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain. This case won't need any extra trusted certificates.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 01 Oct 2012 12:51:27 +0000 |
| parents | 1a008f968f6d |
| children | 4a804fd04e6c |
comparison
equal
deleted
inserted
replaced
| 4877:f2e450929c1f | 4878:695cc88ad649 |
|---|---|
| 586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
| 587 #else | 587 #else |
| 588 chain = staple->ssl_ctx->extra_certs; | 588 chain = staple->ssl_ctx->extra_certs; |
| 589 #endif | 589 #endif |
| 590 | 590 |
| 591 if (OCSP_basic_verify(basic, chain, store, 0) != 1) { | 591 if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { |
| 592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
| 593 "OCSP_basic_verify() failed"); | 593 "OCSP_basic_verify() failed"); |
| 594 goto error; | 594 goto error; |
| 595 } | 595 } |
| 596 | 596 |