SSL: the "ssl_verify_client" directive parameter "optional_no_ca".

This parameter allows to don't require certificate to be signed by a trusted CA, e.g. if CA certificate isn't known in advance, like in WebID protocol. Note that it doesn't add any security unless the certificate is actually checked to be trusted by some external means (e.g. by a backend). Patch by Mike Kazantsev, Eric O'Connor.
author: Maxim Dounin <mdounin@mdounin.ru> 2012-10-03 15:24:08 +0000
committer: Maxim Dounin <mdounin@mdounin.ru> 2012-10-03 15:24:08 +0000
commit: c846871ce106e0fbe4c27a48a4c3378f18cd03f8 (patch)
tree: 671f9b27b80721d8e194e6450776cb54297a0f6b /src/http/ngx_http_request.c
parent: f8cc8969d52211530c0eba3d28e0cb03d4f958b3 (diff)
download: nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.tar.gz
nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index cb970c5c2..ec9d4a1c3 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1642,7 +1642,9 @@ ngx_http_process_request(ngx_http_request_t *r)
         if (sscf->verify) {
             rc = SSL_get_verify_result(c->ssl->connection);
 
-            if (rc != X509_V_OK) {
+            if (rc != X509_V_OK
+                && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+            {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
author	Maxim Dounin <mdounin@mdounin.ru>	2012-10-03 15:24:08 +0000
committer	Maxim Dounin <mdounin@mdounin.ru>	2012-10-03 15:24:08 +0000
commit	c846871ce106e0fbe4c27a48a4c3378f18cd03f8 (patch)
tree	671f9b27b80721d8e194e6450776cb54297a0f6b /src/http/ngx_http_request.c
parent	f8cc8969d52211530c0eba3d28e0cb03d4f958b3 (diff)
download	nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.tar.gz nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.zip