From 3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 1 Oct 2012 12:51:27 +0000
Subject: [PATCH] OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now
 used.

This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.
---
 src/event/ngx_event_openssl_stapling.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index 435a40fde..c09b9f7ec 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -588,7 +588,7 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
     chain = staple->ssl_ctx->extra_certs;
 #endif
 
-    if (OCSP_basic_verify(basic, chain, store, 0) != 1) {
+    if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
                       "OCSP_basic_verify() failed");
         goto error;