From: Rich Bowen <rbowen@apache.org>
Date: Sun, 3 May 2026 20:30:40 +0000 (+0000)
Subject: mod_ssl: Document that SSLStaplingReturnResponderErrors off still returns revoked... 
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9411142746659f540eb54b29d280837049613483;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: Document that SSLStaplingReturnResponderErrors off still returns revoked responses (Bug 69647)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933788 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index f1c813ce90..f08d83fbf4 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2954,7 +2954,10 @@ stapling related OCSP queries (such as responses with an overall status
 other than "successful", responses with a certificate status other than
 "good", expired responses etc.) on to the client.
 If set to <code>off</code>, only responses indicating a certificate status
-of "good" will be included in the TLS handshake.</p>
+of "good" or "revoked" will be included in the TLS handshake.
+Responses with a "revoked" status are always included regardless of
+this setting, because suppressing a known revocation would be a
+security risk.</p>
 </usage>
 </directivesynopsis>