Changeset 87d7f89 in mod_gnutls for doc/mod_gnutls_manual.md


Ignore:
Timestamp:
Apr 4, 2020, 1:07:28 PM (11 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master, proxy-ticket
Children:
ee35a9f
Parents:
e932ba5
Message:

Send OCSP nonce only if GnuTLSOCSPCheckNonce is enabled

File:
1 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.md

    re932ba5 r87d7f89  
    640640### GnuTLSOCSPCheckNonce
    641641
    642 Check the nonce in OCSP responses?
     642Send nonces in OCSP requests and verify them in responses.
    643643
    644644    GnuTLSOCSPCheckNonce [On|Off]
     
    647647Context: server config, virtual host
    648648
    649 Most CAs do not to send nonces in their OCSP responses, probably
    650 because that way they can cache responses, which is [explicitly
    651 allowed by RFC
    652 6960](https://tools.ietf.org/html/rfc6960#section-2.5). You can enable
    653 `GnuTLSOCSPCheckNonce` to enforce nonce validation if your CA is one
    654 that supports OCSP nonces. Note that `mod_gnutls` will _send_ a nonce
    655 either way.
     649If `GnuTLSOCSPCheckNonce` is enabled, `mod_gnutls` will send nonces in
     650OCSP requests and verify them in responses. Responses without a nonce
     651or with a mismatching one will be considered invalid and discarded.
     652
     653This option is disabled by default because many CAs do not support the
     654OCSP nonce extension. The likely reason for that is the use of
     655pre-produced responses, as described in [RFC 6960, Section
     6562.5](https://tools.ietf.org/html/rfc6960#section-2.5).
    656657
    657658### GnuTLSOCSPResponseFile
Note: See TracChangeset for help on using the changeset viewer.