For the "SSLStaplingReturnResponderErrors off" case, make sure to only

staple responses with certificate status "good". Also avoids including
inaccurate responses when the OCSP responder is not completely up
to date in terms of the CA-issued certificates (and provides interim
"unknown" or "extended revoked" [RFC 6960] status replies).

Log a certificate status other than "good" in stapling_check_response().

Propagate the "ok" status from stapling_check_response() back via both
stapling_renew_response() and get_and_check_cached_response() to the
callback code in stapling_cb(), enabling the decision whether to include
or skip the response.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1711728 13f79535-47bb-0310-9956-ffa450edef68