OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used. This is expected to simplify configuration in a common case when OCSP response is signed by a certificate already present in ssl_certificate chain. This case won't need any extra trusted certificates.

commit: 3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 [log] [tgz]
author: Maxim Dounin <mdounin@mdounin.ru> Mon Oct 01 12:51:27 2012 +0000
committer: Maxim Dounin <mdounin@mdounin.ru> Mon Oct 01 12:51:27 2012 +0000
tree: a5ef1d21f2c0dfd39ee600dedee042221e98a699
parent: 1a07a7f2de10b59a0942706d3049e9da86e55a2a [diff]
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index 435a40f..c09b9f7 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c

@@ -588,7 +588,7 @@
     chain = staple->ssl_ctx->extra_certs;
 #endif
 
-    if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+    if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
                       "OCSP_basic_verify() failed");
         goto error;
commit	3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Mon Oct 01 12:51:27 2012 +0000
committer	Maxim Dounin <mdounin@mdounin.ru>	Mon Oct 01 12:51:27 2012 +0000
tree	a5ef1d21f2c0dfd39ee600dedee042221e98a699
parent	1a07a7f2de10b59a0942706d3049e9da86e55a2a [diff]