From 544a20de7667f05c1a406c4dea0706b0ab507430 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 5 Nov 2015 18:20:27 +0100
Subject: p11: enable ocsp checks

This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.

Resolves https://fedorahosted.org/sssd/ticket/2812

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/config/SSSDConfig/__init__.py.in')

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 60129e6e7..fe2971d99 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -61,6 +61,7 @@ option_strings = {
     'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
     'default_domain_suffix' : _('Domain to add to names without a domain component.'),
     'user' : _('The user to drop privileges to'),
+    'certificate_verification' : _('Tune certificate verification'),
 
     # [nss]
     'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
-- 
cgit