diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-10-01 12:53:11 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-10-01 12:53:11 +0000 |
| commit | bec2cc5286e5888eb1de9462f7c64b922967b47b (patch) | |
| tree | f51608be0c1ae2306ec75a99190398b47b360807 /src/event/ngx_event_openssl.h | |
| parent | 3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 (diff) | |
| download | nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.tar.gz nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.tar.bz2 | |
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
Diffstat (limited to 'src/event/ngx_event_openssl.h')
| -rw-r--r-- | src/event/ngx_event_openssl.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index fc098da87..d1fb5739f 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -106,7 +106,7 @@ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, - ngx_str_t *responder, ngx_str_t *file); + ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); |