Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()

Fixes #7761 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12947)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-22 08:36:22 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-26 14:03:44 +0200
commit: 4ff993d7912516a2fd1d5c1e97a6f26a4644c1c6 (patch)
tree: ac313e70bd5b7fef2dc7761ff80aa90c83c0a416 /doc
parent: cf61b97d5fb9208ac254e999d86b1cf40c12b442 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index 708bbd1765..7c16b8c889 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -135,6 +135,8 @@ in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
 If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
 and in I<bs>, else it takes them as untrusted intermediate CA certificates
 and uses them for constructing the validation path for the signer certificate.
+Certicate revocation status checks using CRLs is disabled during path validation
+if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
 After successful path
 validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
 Otherwise it verifies that the signer certificate meets the OCSP issuer
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-22 08:36:22 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-26 14:03:44 +0200
commit	4ff993d7912516a2fd1d5c1e97a6f26a4644c1c6 (patch)
tree	ac313e70bd5b7fef2dc7761ff80aa90c83c0a416 /doc
parent	cf61b97d5fb9208ac254e999d86b1cf40c12b442 (diff)