bec2cc5286e5888eb1de9462f7c64b922967b47b - nginx

commit	bec2cc5286e5888eb1de9462f7c64b922967b47b	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Mon Oct 01 12:53:11 2012 +0000
committer	Maxim Dounin <mdounin@mdounin.ru>	Mon Oct 01 12:53:11 2012 +0000
tree	f51608be0c1ae2306ec75a99190398b47b360807
parent	3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 [diff]

OCSP stapling: ssl_stapling_verify directive.

OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.

src/event/ngx_event_openssl.h[diff]
src/event/ngx_event_openssl_stapling.c[diff]
src/http/modules/ngx_http_ssl_module.c[diff]
src/http/modules/ngx_http_ssl_module.h[diff]

4 files changed

tree: f51608be0c1ae2306ec75a99190398b47b360807

auto/
conf/
contrib/
docs/
misc/
src/
.hgtags