OCSP stapling: ssl_stapling_verify directive.

OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients.
author: Maxim Dounin <mdounin@mdounin.ru> 2012-10-01 12:53:11 +0000
committer: Maxim Dounin <mdounin@mdounin.ru> 2012-10-01 12:53:11 +0000
commit: bec2cc5286e5888eb1de9462f7c64b922967b47b (patch)
tree: f51608be0c1ae2306ec75a99190398b47b360807 /src/http/modules/ngx_http_ssl_module.h
parent: 3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 (diff)
download: nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.tar.gz
nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index b9037589f..c4c576ef6 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -43,6 +43,7 @@ typedef struct {
     ngx_shm_zone_t                 *shm_zone;
 
     ngx_flag_t                      stapling;
+    ngx_flag_t                      stapling_verify;
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
author	Maxim Dounin <mdounin@mdounin.ru>	2012-10-01 12:53:11 +0000
committer	Maxim Dounin <mdounin@mdounin.ru>	2012-10-01 12:53:11 +0000
commit	bec2cc5286e5888eb1de9462f7c64b922967b47b (patch)
tree	f51608be0c1ae2306ec75a99190398b47b360807 /src/http/modules/ngx_http_ssl_module.h
parent	3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 (diff)
download	nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.tar.gz nginx-bec2cc5286e5888eb1de9462f7c64b922967b47b.zip