Document -no_explicit

Reviewed-by: N Rich Salz <rsalz@openssl.org>

Document -no_explicit
Reviewed-by: N Rich Salz <rsalz@openssl.org>
384dee51 · Dr. Stephen Henson · 775b669d · 384dee51
隐藏空白更改
内联并排

Showing with 8 addition and 2 deletion

doc/apps/ocsp.pod doc/apps/ocsp.pod +8 -2

未找到文件。
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -66,6 +66,7 @@ B<openssl> B<ocsp>
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]
+[B<-no_explicit>]
 [B<-port num>]
 [B<-index file>]
 [B<-CA file>]
@@ -226,6 +227,10 @@ testing purposes.
 do not use certificates in the response as additional untrusted CA
 certificates.

+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
 =item B<-no_cert_checks>

 don't perform any additional checks on the OCSP response signers certificate.
@@ -338,8 +343,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
 extended key usage is present in the OCSP responder certificate then the
 OCSP verify succeeds.

-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.

 If none of these checks is successful then the OCSP verify fails.