[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
Dr. Stephen Henson
steve at openssl.org
Tue Feb 24 15:29:29 UTC 2015
The branch OpenSSL_1_0_1-stable has been updated
via 9cd061725b4057f06d2d091352123ce9da790815 (commit)
from e347d80287f18fce0db4571d5ee7285f1b14b82b (commit)
- Log -----------------------------------------------------------------
commit 9cd061725b4057f06d2d091352123ce9da790815
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Feb 24 13:52:21 2015 +0000
Document -no_explicit
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 384dee51242e950c56b3bac32145957bfbf3cd4b)
-----------------------------------------------------------------------
Summary of changes:
doc/apps/ocsp.pod | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 38f026a..2372b37 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -40,6 +40,7 @@ B<openssl> B<ocsp>
[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
+[B<-no_explicit>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
@@ -189,6 +190,10 @@ testing purposes.
do not use certificates in the response as additional untrusted CA
certificates.
+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
@@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
If none of these checks is successful then the OCSP verify fails.
More information about the openssl-commits
mailing list