mod_ssl: Document that SSLStaplingReturnResponderErrors off still returns revoked...

author Rich Bowen <rbowen@apache.org>

Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)

committer Rich Bowen <rbowen@apache.org>

Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)
author Rich Bowen <rbowen@apache.org>
Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)
committer Rich Bowen <rbowen@apache.org>
Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml

index f1c813ce908123745c5575be70e48c416e0094b5..f08d83fbf483c2dbd68172daf59429b5c957cd6f 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2954,7 +2954,10 @@ stapling related OCSP queries (such as responses with an overall status
  other than "successful", responses with a certificate status other than
  "good", expired responses etc.) on to the client.
  If set to <code>off</code>, only responses indicating a certificate status
-of "good" will be included in the TLS handshake.</p>
+of "good" or "revoked" will be included in the TLS handshake.
+Responses with a "revoked" status are always included regardless of
+this setting, because suppressing a known revocation would be a
+security risk.</p>
  </usage>
  </directivesynopsis>
author	Rich Bowen <rbowen@apache.org>
	Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)
committer	Rich Bowen <rbowen@apache.org>
	Sun, 3 May 2026 20:30:40 +0000 (20:30 +0000)