p11: enable ocsp checks

This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2015-11-05 18:20:27 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-11-26 16:39:49 +0100
commit: 544a20de7667f05c1a406c4dea0706b0ab507430 (patch)
tree: dca48b12957626f2ebae2fb2b0f9a96ef617713e /src/man/sssd.conf.5.xml
parent: d0de7701d44c7a75210a9cb04634913ce3a94bfb (diff)
download: sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.gz
sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.xz
sssd-544a20de7667f05c1a406c4dea0706b0ab507430.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 573f421a7..030485cd7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -365,6 +365,35 @@
                             </para>
                         </listitem>
                     </varlistentry>
+                    <varlistentry>
+                        <term>certificate_verification (string)</term>
+                        <listitem>
+                            <para>
+                                With this parameter the certificate verification
+                                can be tuned with a comma separated list of
+                                options. Supported options are:
+                                <variablelist>
+                                <varlistentry>
+                                    <term>no_ocsp</term>
+                                    <listitem>
+                                        <para>Disables Online Certificate Status
+                                        Protocol (OCSP) checks. This might be
+                                        needed if the OCSP servers defined in
+                                        the certificate are not reachable from
+                                        the client.</para>
+                                    </listitem>
+                                </varlistentry>
+                                </variablelist>
+                            </para>
+                            <para>
+                                Unknown options are reported but ignored.
+                            </para>
+                            <para>
+                                Default: not set, i.e. do not restrict
+                                certificate vertification
+                            </para>
+                        </listitem>
+                    </varlistentry>
                 </variablelist>
             </para>
         </refsect2>
author	Sumit Bose <sbose@redhat.com>	2015-11-05 18:20:27 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-11-26 16:39:49 +0100
commit	544a20de7667f05c1a406c4dea0706b0ab507430 (patch)
tree	dca48b12957626f2ebae2fb2b0f9a96ef617713e /src/man/sssd.conf.5.xml
parent	d0de7701d44c7a75210a9cb04634913ce3a94bfb (diff)
download	sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.gz sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.xz sssd-544a20de7667f05c1a406c4dea0706b0ab507430.zip