Changeset 9bc842e in mod_gnutls for doc

Timestamp:

Jan 13, 2020, 6:55:56 AM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

546bf35

Parents:

33fa7d5

Message:

Update documentation for GnuTLSOCSPResponseFile

File:

• doc/mod_gnutls_manual.md (modified) (1 diff)

doc/mod_gnutls_manual.md

@@ -631 +631 @@
 ### GnuTLSOCSPResponseFile
 
-Read the OCSP response for stapling from this file instead of sending
-a request over HTTP.
-
-    GnuTLSOCSPResponseFile /path/to/response.der
+Read OCSP responses for stapling from these files (one or more)
+instead of sending a request over HTTP.
+
+    GnuTLSOCSPResponseFile /path/to/response.der [...]
 
 Default: *empty*\
 Context: server config, virtual host
 
-The response file must be updated externally, for example using a cron
-job. This option is an alternative to the server fetching OCSP
+The first listed file must contain a response for the server
+certificate, responses for intermediate CAs may be added in the order
+they appear in [GnuTLSCertificateFile](#gnutlscertificatefile). You
+can revert to the default fetch mechanism for a specific certificate
+(including the server certificate) by giving the empty string (`""`)
+instead of a file path.
+
+The response files must be updated externally, for example using a
+cron job. This option is an alternative to the server fetching OCSP
 responses over HTTP. Reasons to use this option include:
 
-* Performing OCSP requests separate from the web server.
-* The issuer CA uses an access method other than HTTP.
+* Performing OCSP requests separate from the web server (e.g. to share
+  responses across a server cluster).
+* The issuer CA uses an access method other than HTTP, or doesn't
+  include an OCSP URL in the certificate.
 * Testing