From: martin <rauch.martin@gmail.com>
Date: Sun, 7 Dec 2025 14:15:07 +0000 (+0100)
Subject: Add documentation for X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f13fe0e025f0d413ff985f4114b5e99654d4adde;p=thirdparty%2Fopenssl.git

Add documentation for X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL

Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29327)
---

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 267975778bd..864e242963e 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -258,6 +258,14 @@ certificate. An error occurs if a suitable CRL cannot be found.
 B<X509_V_FLAG_CRL_CHECK_ALL> expands CRL checking to the entire certificate
 chain if B<X509_V_FLAG_CRL_CHECK> has also been enabled, and is otherwise ignored.
 
+B<X509_V_FLAG_OCSP_RESP_CHECK> enables Online Certificate Status Protocol (OCSP)
+checking for the certificate chain leaf certificate. An error occurs if a suitable
+OCSP response cannot be found.
+
+B<X509_V_FLAG_OCSP_RESP_CHECK_ALL> expands OCSP checking to the entire certificate
+chain if B<X509_V_FLAG_OCSP_RESP_CHECK> has also been enabled, and is otherwise
+ignored.
+
 B<X509_V_FLAG_IGNORE_CRITICAL> disables critical extension checking. By default
 any unhandled critical extensions in certificates or (if checked) CRLs result
 in a fatal error. If this flag is set unhandled critical extensions are