diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-05-12 15:24:06 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-05-12 16:50:55 +0100 |
commit | 6302bbd21a79bd2ed59f214d6d042031384b4d12 (patch) | |
tree | 72bc1def0c3937e935ffa582b29d3f5cebf24a85 /doc/apps/ocsp.pod | |
parent | d535e5652688447deaf8a9eddc2b8cdc4f8f6ce9 (diff) |
Correctly check for trailing digest options.
Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.
RT#4215
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc/apps/ocsp.pod')
-rw-r--r-- | doc/apps/ocsp.pod | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 3e667e678e..a5bb22f819 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -266,24 +266,25 @@ only be used for testing purposes. =item B<-validity_period nsec>, B<-status_age age> these options specify the range of times, in seconds, which will be tolerated -in an OCSP response. Each certificate status response includes a B<notBefore> time and -an optional B<notAfter> time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the OCSP -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the B<-validity_period> option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. - -If the B<notAfter> time is omitted from a response then this means that new status -information is immediately available. In this case the age of the B<notBefore> field -is checked to see it is not older than B<age> seconds old. By default this additional -check is not performed. +in an OCSP response. Each certificate status response includes a B<notBefore> +time and an optional B<notAfter> time. The current time should fall between +these two values, but the interval between the two times may be only a few +seconds. In practice the OCSP responder and clients clocks may not be precisely +synchronised and so such a check may fail. To avoid this the +B<-validity_period> option can be used to specify an acceptable error range in +seconds, the default value is 5 minutes. + +If the B<notAfter> time is omitted from a response then this means that new +status information is immediately available. In this case the age of the +B<notBefore> field is checked to see it is not older than B<age> seconds old. +By default this additional check is not performed. =item B<-[digest]> -this option sets digest algorithm to use for certificate identification -in the OCSP request. -Any digest supported by the OpenSSL B<dgst> command can be used. -The default is SHA-1. +this option sets digest algorithm to use for certificate identification in the +OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used. +The default is SHA-1. This option may be used multiple times to specify the +digest used by subsequent certificate identifiers. =back |