git.kaiwu.me - nginx.git/commit

]> git.kaiwu.me - nginx.git/commit

projects / nginx.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 3ebbb7d) | patch

author	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 1 Oct 2012 12:53:11 +0000 (12:53 +0000)
committer	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 1 Oct 2012 12:53:11 +0000 (12:53 +0000)
commit	bec2cc5286e5888eb1de9462f7c64b922967b47b
tree	f51608be0c1ae2306ec75a99190398b47b360807	tree \| snapshot
parent	3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2	commit \| diff

OCSP stapling: ssl_stapling_verify directive.

OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.

src/event/ngx_event_openssl.h		diff \| blob \| history
src/event/ngx_event_openssl_stapling.c		diff \| blob \| history
src/http/modules/ngx_http_ssl_module.c		diff \| blob \| history
src/http/modules/ngx_http_ssl_module.h		diff \| blob \| history

nginx upstream