From bec2cc5286e5888eb1de9462f7c64b922967b47b Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 1 Oct 2012 12:53:11 +0000
Subject: OCSP stapling: ssl_stapling_verify directive.

OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
---
 src/http/modules/ngx_http_ssl_module.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/http/modules/ngx_http_ssl_module.h')

diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index b9037589f..c4c576ef6 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -43,6 +43,7 @@ typedef struct {
     ngx_shm_zone_t                 *shm_zone;
 
     ngx_flag_t                      stapling;
+    ngx_flag_t                      stapling_verify;
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
 
-- 
cgit