diff --git a/reference-lib/package-lock.json b/reference-lib/package-lock.json
index 9fec779..9112f15 100644
--- a/reference-lib/package-lock.json
+++ b/reference-lib/package-lock.json
@@ -1,12 +1,12 @@
{
"name": "@nginx/reference-lib",
- "version": "1.1.1",
+ "version": "1.1.2",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "@nginx/reference-lib",
- "version": "1.1.1",
+ "version": "1.1.2",
"devDependencies": {
"@rollup/plugin-json": "^6.1.0",
"@rollup/plugin-typescript": "^11.1.6",
diff --git a/reference-lib/package.json b/reference-lib/package.json
index 7e83347..18968e5 100644
--- a/reference-lib/package.json
+++ b/reference-lib/package.json
@@ -1,6 +1,6 @@
{
"name": "@nginx/reference-lib",
- "version": "1.1.1",
+ "version": "1.1.2",
"description": "",
"main": "dist/index.js",
"type": "module",
diff --git a/reference-lib/src/reference.json b/reference-lib/src/reference.json
index c292aeb..09a027a 100644
--- a/reference-lib/src/reference.json
+++ b/reference-lib/src/reference.json
@@ -15220,8 +15220,8 @@
"file
\n"
],
"isBlock": false,
- "description_md": "Specifies a *`file`* with trusted CA certificates in the PEM format\nused to [verify](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_verify_client) client certificates.\n\nThe list of certificates will be sent to clients.\nIf this is not desired, the [`ssl_trusted_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_trusted_certificate)\ndirective can be used.",
- "description_html": "Specifies a file with trusted CA certificates in the PEM format\nused to verify client certificates.
\n\nThe list of certificates will be sent to clients.\nIf this is not desired, the ssl_trusted_certificate\ndirective can be used.
\n"
+ "description_md": "Specifies a *`file`* with trusted CA certificates in the PEM format\nused to [verify](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_verify_client) client certificates and\nOCSP responses if [`ssl_stapling`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_stapling) is enabled.\n\nThe list of certificates will be sent to clients.\nIf this is not desired, the [`ssl_trusted_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_trusted_certificate)\ndirective can be used.",
+ "description_html": "Specifies a file with trusted CA certificates in the PEM format\nused to verify client certificates and\nOCSP responses if ssl_stapling is enabled.
\n\nThe list of certificates will be sent to clients.\nIf this is not desired, the ssl_trusted_certificate\ndirective can be used.
\n"
},
{
"name": "ssl_conf_command",
@@ -15308,6 +15308,57 @@
"description_md": "Specifies a timeout for the SSL handshake to complete.",
"description_html": "Specifies a timeout for the SSL handshake to complete.
\n"
},
+ {
+ "name": "ssl_ocsp",
+ "default": "off",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "`on` | `off` | `leaf`"
+ ],
+ "syntax_html": [
+ "on | off | leaf
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Enables OCSP validation of the client certificate chain.\nThe `leaf` parameter\nenables validation of the client certificate only.\n\nFor the OCSP validation to work,\nthe [`ssl_verify_client`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_verify_client) directive should be set to\n`on` or `optional`.\n\nTo resolve the OCSP responder hostname,\nthe [`resolver`](https://nginx.org/en/docs/stream/ngx_stream_core_module.html#resolver) directive\nshould also be specified.\n\nExample:\n```\nssl_verify_client on;\nssl_ocsp on;\nresolver 192.0.2.1;\n```",
+ "description_html": "Enables OCSP validation of the client certificate chain.\nThe leaf parameter\nenables validation of the client certificate only.
\n\nFor the OCSP validation to work,\nthe ssl_verify_client directive should be set to\non or optional.
\n\nTo resolve the OCSP responder hostname,\nthe resolver directive\nshould also be specified.
\n\nExample:
\n\nssl_verify_client on;\nssl_ocsp on;\nresolver 192.0.2.1;\n
\n"
+ },
+ {
+ "name": "ssl_ocsp_cache",
+ "default": "off",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "`off` | [`shared`:*`name`*:*`size`*]"
+ ],
+ "syntax_html": [
+ "off | [shared:name:size]
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Sets `name` and `size` of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several virtual servers.\n\nThe `off` parameter prohibits the use of the cache.",
+ "description_html": "Sets name and size of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several virtual servers.
\n\nThe off parameter prohibits the use of the cache.
\n"
+ },
+ {
+ "name": "ssl_ocsp_responder",
+ "default": "",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "*`url`*"
+ ],
+ "syntax_html": [
+ "url
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Overrides the URL of the OCSP responder specified in the\n“[Authority Information Access](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)” certificate extension\nfor [validation](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_ocsp) of client certificates.\n\nOnly “`http://`” OCSP responders are supported:\n```\nssl_ocsp_responder http://ocsp.example.com/;\n```",
+ "description_html": "Overrides the URL of the OCSP responder specified in the\n“Authority Information Access” certificate extension\nfor validation of client certificates.
\n\nOnly “http://” OCSP responders are supported:
\n\nssl_ocsp_responder http://ocsp.example.com/;\n
\n"
+ },
{
"name": "ssl_password_file",
"default": "",
@@ -15444,6 +15495,74 @@
"description_md": "Specifies a time during which a client may reuse the\nsession parameters.",
"description_html": "Specifies a time during which a client may reuse the\nsession parameters.
\n"
},
+ {
+ "name": "ssl_stapling",
+ "default": "off",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "`on` | `off`"
+ ],
+ "syntax_html": [
+ "on | off
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Enables or disables\n[stapling of OCSP responses](https://datatracker.ietf.org/doc/html/rfc6066#section-8) by the server.\nExample:\n```\nssl_stapling on;\nresolver 192.0.2.1;\n```\n\nFor the OCSP stapling to work, the certificate of the server certificate\nissuer should be known.\nIf the [`ssl_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_certificate) file does\nnot contain intermediate certificates,\nthe certificate of the server certificate issuer should be\npresent in the\n[`ssl_trusted_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_trusted_certificate) file.\n\nFor a resolution of the OCSP responder hostname,\nthe [`resolver`](https://nginx.org/en/docs/stream/ngx_stream_core_module.html#resolver) directive\nshould also be specified.",
+ "description_html": "Enables or disables\nstapling of OCSP responses by the server.\nExample:
\n\nssl_stapling on;\nresolver 192.0.2.1;\n
\n\nFor the OCSP stapling to work, the certificate of the server certificate\nissuer should be known.\nIf the ssl_certificate file does\nnot contain intermediate certificates,\nthe certificate of the server certificate issuer should be\npresent in the\nssl_trusted_certificate file.
\n\nFor a resolution of the OCSP responder hostname,\nthe resolver directive\nshould also be specified.
\n"
+ },
+ {
+ "name": "ssl_stapling_file",
+ "default": "",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "*`file`*"
+ ],
+ "syntax_html": [
+ "file
\n"
+ ],
+ "isBlock": false,
+ "description_md": "When set, the stapled OCSP response will be taken from the\nspecified *`file`* instead of querying\nthe OCSP responder specified in the server certificate.\n\nThe file should be in the DER format as produced by the\n“`openssl ocsp`” command.",
+ "description_html": "When set, the stapled OCSP response will be taken from the\nspecified file instead of querying\nthe OCSP responder specified in the server certificate.
\n\nThe file should be in the DER format as produced by the\n“openssl ocsp” command.
\n"
+ },
+ {
+ "name": "ssl_stapling_responder",
+ "default": "",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "*`url`*"
+ ],
+ "syntax_html": [
+ "url
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Overrides the URL of the OCSP responder specified in the\n“[Authority Information Access](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)” certificate extension.\n\nOnly “`http://`” OCSP responders are supported:\n```\nssl_stapling_responder http://ocsp.example.com/;\n```",
+ "description_html": "Overrides the URL of the OCSP responder specified in the\n“Authority Information Access” certificate extension.
\n\nOnly “http://” OCSP responders are supported:
\n\nssl_stapling_responder http://ocsp.example.com/;\n
\n"
+ },
+ {
+ "name": "ssl_stapling_verify",
+ "default": "off",
+ "contexts": [
+ "stream",
+ "server"
+ ],
+ "syntax_md": [
+ "`on` | `off`"
+ ],
+ "syntax_html": [
+ "on | off
\n"
+ ],
+ "isBlock": false,
+ "description_md": "Enables or disables verification of OCSP responses by the server.\n\nFor verification to work, the certificate of the server certificate\nissuer, the root certificate, and all intermediate certificates\nshould be configured as trusted using the\n[`ssl_trusted_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_trusted_certificate) directive.",
+ "description_html": "Enables or disables verification of OCSP responses by the server.
\n\nFor verification to work, the certificate of the server certificate\nissuer, the root certificate, and all intermediate certificates\nshould be configured as trusted using the\nssl_trusted_certificate directive.
\n"
+ },
{
"name": "ssl_trusted_certificate",
"default": "",
@@ -15458,8 +15577,8 @@
"file
\n"
],
"isBlock": false,
- "description_md": "Specifies a *`file`* with trusted CA certificates in the PEM format\nused to [verify](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_verify_client) client certificates.\n\nIn contrast to the certificate set by [`ssl_client_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_client_certificate),\nthe list of these certificates will not be sent to clients.",
- "description_html": "Specifies a file with trusted CA certificates in the PEM format\nused to verify client certificates.
\n\nIn contrast to the certificate set by ssl_client_certificate,\nthe list of these certificates will not be sent to clients.
\n"
+ "description_md": "Specifies a *`file`* with trusted CA certificates in the PEM format\nused to [verify](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_verify_client) client certificates and\nOCSP responses if [`ssl_stapling`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_stapling) is enabled.\n\nIn contrast to the certificate set by [`ssl_client_certificate`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_client_certificate),\nthe list of these certificates will not be sent to clients.",
+ "description_html": "Specifies a file with trusted CA certificates in the PEM format\nused to verify client certificates and\nOCSP responses if ssl_stapling is enabled.
\n\nIn contrast to the certificate set by ssl_client_certificate,\nthe list of these certificates will not be sent to clients.
\n"
},
{
"name": "ssl_verify_client",
@@ -16249,5 +16368,5 @@
]
}
],
- "version": "https://github.com/nginx/nginx.org/commit/5dd1de03c22d985d794ea90c3c6ac0ccb36448a0"
+ "version": "https://github.com/nginx/nginx.org/commit/6e199dec7bb66c7683a37531b802fa7fbf216cac"
}