nginx: ssl_stapling_verify: What exactly is being verified?
I found in Nginx souce code. the file ngx_event_openssl_stapling.c#L660:
OCSP_basic_verify(basic, chain, store,staple->verify ? OCSP_TRUSTOTHER :OCSP_NOVERIFY
if you config `ssl_stapling_verify` value is on, then `staple->verify` will true, next the function `OCSP_basic_verify` will use `OCSP_TRUSTOTHER ` param to verified.
then, I found the OCSP_basic_verify function in openssl
libaray, it said:
Then the function already returns success if the flags contain OCSP_NOVERIFY or if the signer certificate was found in certs and the flags contain OCSP_TRUSTOTHER.
the more about is here: https://meto.cc/article/what-exactly-did-ssl_stapling_verify-verify