nginx: ssl_stapling_verify: What exactly is being verified?

I found in Nginx souce code. the file ngx_event_openssl_stapling.c#L660:

OCSP_basic_verify(basic, chain, store,staple->verify ? OCSP_TRUSTOTHER :OCSP_NOVERIFY
if you config `ssl_stapling_verify` value is on, then `staple->verify` will true, next the function `OCSP_basic_verify` will use `OCSP_TRUSTOTHER ` param to verified.

then, I found the OCSP_basic_verify function in openssl libaray, it said:

Then the function already returns success if the flags contain OCSP_NOVERIFY or if the signer certificate was found in certs and the flags contain OCSP_TRUSTOTHER.

the more about is here: https://meto.cc/article/what-exactly-did-ssl_stapling_verify-verify

Tags:

Nginx

Ocsp