path: root/doc/apps/ocsp.pod
diff options
authorJung-uk Kim <jkim@FreeBSD.org>2015-03-20 15:28:40 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2015-03-20 15:28:40 +0000
commit3d2030852da420b820a661e7b19bb757487e2599 (patch)
tree787cdff35e35be75e53f378b098bba3237a8deb7 /doc/apps/ocsp.pod
parent8f5086671f06c811be16442eb6d6fe68e5ba71fc (diff)
Import OpenSSL 1.0.1m.vendor/openssl/1.0.1m
Notes: svn path=/vendor-crypto/openssl/dist/; revision=280288 svn path=/vendor-crypto/openssl/1.0.1m/; revision=280289; tag=vendor/openssl/1.0.1m
Diffstat (limited to 'doc/apps/ocsp.pod')
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 38f026afc1b6..2372b373cdc1 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -40,6 +40,7 @@ B<openssl> B<ocsp>
[B<-port num>]
[B<-index file>]
[B<-CA file>]
@@ -189,6 +190,10 @@ testing purposes.
do not use certificates in the response as additional untrusted CA
+=item B<-no_explicit>
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
@@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
If none of these checks is successful then the OCSP verify fails.