mod_ssl: Document SSLOCSPEnable no_ocsp_for_cert_ok flag (Bug 65014)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933553 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 46fb2c34601f4975609bf21652ef88e3c4da628d..6f18dc391c19851b0ee7014858e51469209cd1c2 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2632,11 +2632,11 @@ for PKCS#11 URIs (<rfc>7512</rfc>).
 <directivesynopsis>
 <name>SSLOCSPEnable</name>
 <description>Enable OCSP validation of the client certificate chain</description>
-<syntax>SSLOCSPEnable on|leaf|off</syntax>
+<syntax>SSLOCSPEnable on|leaf|off [<var>flags</var>]</syntax>
 <default>SSLOCSPEnable off</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
-<compatibility>Mode <em>leaf</em> available in httpd 2.4.34 and later</compatibility>
+<compatibility>Mode <em>leaf</em> available in httpd 2.4.34 and later. Flag <em>no_ocsp_for_cert_ok</em> available in 2.4.29 and later.</compatibility>
 
 <usage>
 <p>This option enables OCSP validation of the client certificate
@@ -2651,6 +2651,17 @@ itself, or derived by configuration; see the
 <directive module="mod_ssl">SSLOCSPOverrideResponder</directive>
 directives.</p>
 
+<p>The following optional flags are available:</p>
+<ul>
+<li><code>no_ocsp_for_cert_ok</code>
+    <p>When OCSP validation is enabled, a certificate that does not
+    contain an OCSP responder URL will normally cause validation to fail.
+    Adding this flag allows such certificates to pass validation. This
+    is useful in environments where some certificates in the chain do
+    not include OCSP responder information.</p>
+</li>
+</ul>
+
 <example><title>Example</title>
 <highlight language="config">
 SSLVerifyClient on