1*6236dae4SAndroid Build Coastguard Worker--- 2*6236dae4SAndroid Build Coastguard Workerc: Copyright (C) Daniel Stenberg, <[email protected]>, et al. 3*6236dae4SAndroid Build Coastguard WorkerSPDX-License-Identifier: curl 4*6236dae4SAndroid Build Coastguard WorkerLong: doh-cert-status 5*6236dae4SAndroid Build Coastguard WorkerHelp: Verify DoH server cert status OCSP-staple 6*6236dae4SAndroid Build Coastguard WorkerAdded: 7.76.0 7*6236dae4SAndroid Build Coastguard WorkerCategory: dns tls 8*6236dae4SAndroid Build Coastguard WorkerMulti: boolean 9*6236dae4SAndroid Build Coastguard WorkerSee-also: 10*6236dae4SAndroid Build Coastguard Worker - doh-insecure 11*6236dae4SAndroid Build Coastguard WorkerExample: 12*6236dae4SAndroid Build Coastguard Worker - --doh-cert-status --doh-url https://doh.example $URL 13*6236dae4SAndroid Build Coastguard Worker--- 14*6236dae4SAndroid Build Coastguard Worker 15*6236dae4SAndroid Build Coastguard Worker# `--doh-cert-status` 16*6236dae4SAndroid Build Coastguard Worker 17*6236dae4SAndroid Build Coastguard WorkerSame as --cert-status but used for DoH (DNS-over-HTTPS). 18*6236dae4SAndroid Build Coastguard Worker 19*6236dae4SAndroid Build Coastguard WorkerVerifies the status of the DoH servers' certificate by using the Certificate 20*6236dae4SAndroid Build Coastguard WorkerStatus Request (aka. OCSP stapling) TLS extension. 21*6236dae4SAndroid Build Coastguard Worker 22*6236dae4SAndroid Build Coastguard WorkerIf this option is enabled and the DoH server sends an invalid (e.g. expired) 23*6236dae4SAndroid Build Coastguard Workerresponse, if the response suggests that the server certificate has been 24*6236dae4SAndroid Build Coastguard Workerrevoked, or no response at all is received, the verification fails. 25*6236dae4SAndroid Build Coastguard Worker 26*6236dae4SAndroid Build Coastguard WorkerThis support is currently only implemented in the OpenSSL and GnuTLS backends. 27