diff --git a/doc/h2load.1 b/doc/h2load.1 index f6e39701..6e34d8ca 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "May 21, 2017" "1.23.0-DEV" "nghttp2" +.TH "H2LOAD" "1" "May 26, 2017" "1.23.0" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/nghttp.1 b/doc/nghttp.1 index 613c6fa3..04392e07 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "May 21, 2017" "1.23.0-DEV" "nghttp2" +.TH "NGHTTP" "1" "May 26, 2017" "1.23.0" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index e9f029ed..0a8366d2 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "May 21, 2017" "1.23.0-DEV" "nghttp2" +.TH "NGHTTPD" "1" "May 26, 2017" "1.23.0" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index 3a103782..273474de 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "May 21, 2017" "1.23.0-DEV" "nghttp2" +.TH "NGHTTPX" "1" "May 26, 2017" "1.23.0" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -833,6 +833,11 @@ connections. .UNINDENT .INDENT 0.0 .TP +.B \-\-no\-verify\-ocsp +nghttpx does not verify OCSP response. +.UNINDENT +.INDENT 0.0 +.TP .B \-\-no\-ocsp Disable OCSP stapling. .UNINDENT @@ -1751,6 +1756,22 @@ be customized using \fI\%\-\-fetch\-ocsp\-response\-file\fP option. .sp If OCSP query is failed, previous OCSP response, if any, is continued to be used. +.sp +\fI\%\-\-fetch\-ocsp\-response\-file\fP option provides wide range of +possibility to manage OCSP response. It can take an arbitrary script +or executable. The requirement is that it supports the command\-line +interface of \fBfetch\-ocsp\-response\fP script, and it must return a +valid DER encoded OCSP response on success. It must return exit code +0 on success, and 75 for temporary error, and the other error code for +generic failure. For large cluster of servers, it is not efficient +for each server to perform OCSP query using \fBfetch\-ocsp\-response\fP\&. +Instead, you can retrieve OCSP response in some way, and store it in a +disk or a shared database. Then specify a program in +\fI\%\-\-fetch\-ocsp\-response\-file\fP to fetch it from those stores. +This could provide a way to share the OCSP response between fleet of +servers, and also any OCSP query strategy can be applied which may be +beyond the ability of nghttpx itself or \fBfetch\-ocsp\-response\fP +script. .SH TLS SESSION RESUMPTION .sp nghttpx supports TLS session resumption through both session ID and diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst index 0f04c938..97af6938 100644 --- a/doc/nghttpx.1.rst +++ b/doc/nghttpx.1.rst @@ -763,6 +763,10 @@ SSL/TLS responses must be available before accepting connections. +.. option:: --no-verify-ocsp + + nghttpx does not verify OCSP response. + .. option:: --no-ocsp Disable OCSP stapling. @@ -1601,6 +1605,22 @@ be customized using :option:`--fetch-ocsp-response-file` option. If OCSP query is failed, previous OCSP response, if any, is continued to be used. +:option:`--fetch-ocsp-response-file` option provides wide range of +possibility to manage OCSP response. It can take an arbitrary script +or executable. The requirement is that it supports the command-line +interface of ``fetch-ocsp-response`` script, and it must return a +valid DER encoded OCSP response on success. It must return exit code +0 on success, and 75 for temporary error, and the other error code for +generic failure. For large cluster of servers, it is not efficient +for each server to perform OCSP query using ``fetch-ocsp-response``. +Instead, you can retrieve OCSP response in some way, and store it in a +disk or a shared database. Then specify a program in +:option:`--fetch-ocsp-response-file` to fetch it from those stores. +This could provide a way to share the OCSP response between fleet of +servers, and also any OCSP query strategy can be applied which may be +beyond the ability of nghttpx itself or ``fetch-ocsp-response`` +script. + TLS SESSION RESUMPTION ----------------------