mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Document -no_explicit

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-02-24 13:52:21 +00:00
parent 775b669de3
commit 384dee5124
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/apps/ocsp.pod
View File

@ -66,6 +66,7 @@ B<openssl> B<ocsp>
[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
[B<-no_explicit>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
@ -226,6 +227,10 @@ testing purposes.
do not use certificates in the response as additional untrusted CA
certificates.
=item B<-no_explicit>
do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
Otherwise the root CA of the OCSP responders CA is checked to see if it
is trusted for OCSP signing. If it is the OCSP verify succeeds.
Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
verify succeeds.
If none of these checks is successful then the OCSP verify fails.