From: Rich Bowen Date: Wed, 29 Apr 2026 20:34:18 +0000 (+0000) Subject: mod_ssl: Document SSLOCSPEnable no_ocsp_for_cert_ok flag (Bug 65014) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b71008dc784dd8b99355a910e3c43c180c0093c;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Document SSLOCSPEnable no_ocsp_for_cert_ok flag (Bug 65014) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933553 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 46fb2c3460..6f18dc391c 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2632,11 +2632,11 @@ for PKCS#11 URIs (7512). SSLOCSPEnable Enable OCSP validation of the client certificate chain -SSLOCSPEnable on|leaf|off +SSLOCSPEnable on|leaf|off [flags] SSLOCSPEnable off server config virtual host -Mode leaf available in httpd 2.4.34 and later +Mode leaf available in httpd 2.4.34 and later. Flag no_ocsp_for_cert_ok available in 2.4.29 and later.

This option enables OCSP validation of the client certificate @@ -2651,6 +2651,17 @@ itself, or derived by configuration; see the SSLOCSPOverrideResponder directives.

+

The following optional flags are available:

+
    +
  • no_ocsp_for_cert_ok +

    When OCSP validation is enabled, a certificate that does not + contain an OCSP responder URL will normally cause validation to fail. + Adding this flag allows such certificates to pass validation. This + is useful in environments where some certificates in the chain do + not include OCSP responder information.

    +
    • +
+ Example SSLVerifyClient on