Changeset e932ba5 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Apr 4, 2020, 11:55:25 AM (7 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
87d7f89
Parents:
ca0690b
Message:

Do not enforce OCSP nonces by default

The reason for this change is that in practice most public CAs do not
support OCSP nonces, which is permitted by both RFC 6960 and the
CA/Browser Forum baseline requirements. In this situation enforcing
correct nonces by default makes the automatic OCSP stapling support
mostly useless, so I'm changing the default.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rca0690b re932ba5  
    12701270        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
    12711271    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
    1272         sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
     1272        sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
    12731273    if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
    12741274        sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
Note: See TracChangeset for help on using the changeset viewer.