Example

Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 82810 invoked from network); 29 Nov 2007 13:58:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Nov 2007 13:58:44 -0000 Received: (qmail 90590 invoked by uid 500); 29 Nov 2007 13:58:32 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 90551 invoked by uid 500); 29 Nov 2007 13:58:32 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 90540 invoked by uid 99); 29 Nov 2007 13:58:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Nov 2007 05:58:31 -0800 X-ASF-Spam-Status: No, hits=-98.5 required=10.0 tests=ALL_TRUSTED,WEIRD_PORT X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Nov 2007 13:58:20 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 56A411A983E; Thu, 29 Nov 2007 05:58:23 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r599445 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Date: Thu, 29 Nov 2007 13:58:23 -0000 To: cvs@httpd.apache.org From: jorton@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20071129135823.56A411A983E@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jorton Date: Thu Nov 29 05:58:22 2007 New Revision: 599445 URL: http://svn.apache.org/viewvc?rev=599445&view=rev Log: - add documentation of mod_ssl OCSP directives. Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=599445&r1=599444&r2=599445&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Nov 29 05:58:22 2007 @@ -1701,4 +1701,64 @@ + +SSLOCSPEnable +Enable OCSP validation of the client certificate chain +SSLOCSPEnable flag +server config +virtual host +Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later + + +

This option enables OCSP validation of the client certificate +chain. If this option is enabled, certificates in the client's +certificate chain will be validated against an OCSP responder after +normal verification (including CRL checks) have taken place.

+ +

The OCSP responder used is either extracted from the certificate +itself, or derived by configuration; see the +SSLOCSPDefaultResponder and +SSLOCSPOverrideResponder +directives.

+ +Example +SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
+SSLOCSPOverrideResponder on + + + + + +SSLOCSPDefaultResponder +Set the default responder URI for OCSP validation +SSLOCSDefaultResponder uri +server config +virtual host +Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later + + +

This option sets the default OCSP responder to use. If SSLOCSPOverrideResponder is not enabled, +the URI given will be used only if no responder URI is specified in +the certificate being verified.

+ + + + +SSLOCSPOverrideResponder +Force use of the default responder URI for OCSP validation +SSLOCSPOverrideResponder flag +server config +virtual host +Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later + + +

This option forces the configured default OCSP responder to be used +during OCSP certificate validation, regardless of whether the +certificate being validated references an OCSP responder.

+ + +