[nginx] svn commit: r4879 - trunk/src/event

mdounin at mdounin.ru mdounin at mdounin.ru
Mon Oct 1 12:51:29 UTC 2012


Author: mdounin
Date: 2012-10-01 12:51:27 +0000 (Mon, 01 Oct 2012)
New Revision: 4879
URL: http://trac.nginx.org/nginx/changeset/4879/nginx

Log:
OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.

This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.


Modified:
   trunk/src/event/ngx_event_openssl_stapling.c

Modified: trunk/src/event/ngx_event_openssl_stapling.c
===================================================================
--- trunk/src/event/ngx_event_openssl_stapling.c	2012-10-01 12:50:36 UTC (rev 4878)
+++ trunk/src/event/ngx_event_openssl_stapling.c	2012-10-01 12:51:27 UTC (rev 4879)
@@ -588,7 +588,7 @@
     chain = staple->ssl_ctx->extra_certs;
 #endif
 
-    if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+    if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
                       "OCSP_basic_verify() failed");
         goto error;



More information about the nginx-devel mailing list