Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4904:c3b276283e4a stable-1.2
Merge of r4885: ssl_verify_client optional_no_ca.
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 13 Nov 2012 10:42:16 +0000 |
| parents | d620f497c50f |
| children | 2ff51c32791f |
comparison
equal
deleted
inserted
replaced
| 4903:dcbb7989b5b5 | 4904:c3b276283e4a |
|---|---|
| 46 | 46 |
| 47 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | 47 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
| 48 { ngx_string("off"), 0 }, | 48 { ngx_string("off"), 0 }, |
| 49 { ngx_string("on"), 1 }, | 49 { ngx_string("on"), 1 }, |
| 50 { ngx_string("optional"), 2 }, | 50 { ngx_string("optional"), 2 }, |
| 51 { ngx_string("optional_no_ca"), 3 }, | |
| 51 { ngx_null_string, 0 } | 52 { ngx_null_string, 0 } |
| 52 }; | 53 }; |
| 53 | 54 |
| 54 | 55 |
| 55 static ngx_command_t ngx_http_ssl_commands[] = { | 56 static ngx_command_t ngx_http_ssl_commands[] = { |
| 464 &conf->ciphers); | 465 &conf->ciphers); |
| 465 } | 466 } |
| 466 | 467 |
| 467 if (conf->verify) { | 468 if (conf->verify) { |
| 468 | 469 |
| 469 if (conf->client_certificate.len == 0) { | 470 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
| 470 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 471 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 471 "no ssl_client_certificate for ssl_client_verify"); | 472 "no ssl_client_certificate for ssl_client_verify"); |
| 472 return NGX_CONF_ERROR; | 473 return NGX_CONF_ERROR; |
| 473 } | 474 } |
| 474 | 475 |