Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 4904:c3b276283e4a stable-1.2
Merge of r4885: ssl_verify_client optional_no_ca.
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 13 Nov 2012 10:42:16 +0000 |
| parents | 655a4ef244fa |
| children | 01d3d3a185e9 |
comparison
equal
deleted
inserted
replaced
| 4903:dcbb7989b5b5 | 4904:c3b276283e4a |
|---|---|
| 1632 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); | 1632 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); |
| 1633 | 1633 |
| 1634 if (sscf->verify) { | 1634 if (sscf->verify) { |
| 1635 rc = SSL_get_verify_result(c->ssl->connection); | 1635 rc = SSL_get_verify_result(c->ssl->connection); |
| 1636 | 1636 |
| 1637 if (rc != X509_V_OK) { | 1637 if (rc != X509_V_OK |
| 1638 && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) | |
| 1639 { | |
| 1638 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 1640 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 1639 "client SSL certificate verify error: (%l:%s)", | 1641 "client SSL certificate verify error: (%l:%s)", |
| 1640 rc, X509_verify_cert_error_string(rc)); | 1642 rc, X509_verify_cert_error_string(rc)); |
| 1641 | 1643 |
| 1642 ngx_ssl_remove_cached_session(sscf->ssl.ctx, | 1644 ngx_ssl_remove_cached_session(sscf->ssl.ctx, |