You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/11/29 14:58:23 UTC
svn commit: r599445 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Author: jorton
Date: Thu Nov 29 05:58:22 2007
New Revision: 599445
URL: http://svn.apache.org/viewvc?rev=599445&view=rev
Log:
- add documentation of mod_ssl OCSP directives.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=599445&r1=599444&r2=599445&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Nov 29 05:58:22 2007
@@ -1701,4 +1701,64 @@
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLOCSPEnable</name>
+<description>Enable OCSP validation of the client certificate chain</description>
+<syntax>SSLOCSPEnable <em>flag</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option enables OCSP validation of the client certificate
+chain. If this option is enabled, certificates in the client's
+certificate chain will be validated against an OCSP responder after
+normal verification (including CRL checks) have taken place.</p>
+
+<p>The OCSP responder used is either extracted from the certificate
+itself, or derived by configuration; see the
+<directive module="mod_ssl">SSLOCSPDefaultResponder</directive> and
+<directive module="mod_ssl">SSLOCSPOverrideResponder</directive>
+directives.</p>
+
+<example><title>Example</title>
+SSLVerifyClient on<br/>
+SSLOCSPEnable on<br/>
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder<br/>
+SSLOCSPOverrideResponder on
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPDefaultResponder</name>
+<description>Set the default responder URI for OCSP validation</description>
+<syntax>SSLOCSDefaultResponder <em>uri</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the default OCSP responder to use. If <directive
+module="mod_ssl">SSLOCSPOverrideResponder</directive> is not enabled,
+the URI given will be used only if no responder URI is specified in
+the certificate being verified.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPOverrideResponder</name>
+<description>Force use of the default responder URI for OCSP validation</description>
+<syntax>SSLOCSPOverrideResponder <em>flag</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option forces the configured default OCSP responder to be used
+during OCSP certificate validation, regardless of whether the
+certificate being validated references an OCSP responder.</p>
+</usage>
+</directivesynopsis>
+
</modulesynopsis>