Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 4884:e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 03 Oct 2012 15:24:08 +0000 |
| parents | 4a804fd04e6c |
| children | 71d85de7b53b |
comparison
equal
deleted
inserted
replaced
| 4883:f7443eeb3536 | 4884:e406c997470a |
|---|---|
| 125 #define ngx_ssl_get_connection(ssl_conn) \ | 125 #define ngx_ssl_get_connection(ssl_conn) \ |
| 126 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | 126 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) |
| 127 #define ngx_ssl_get_server_conf(ssl_ctx) \ | 127 #define ngx_ssl_get_server_conf(ssl_ctx) \ |
| 128 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | 128 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) |
| 129 | 129 |
| 130 #define ngx_ssl_verify_error_optional(n) \ | |
| 131 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ | |
| 132 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ | |
| 133 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ | |
| 134 || n == X509_V_ERR_CERT_UNTRUSTED \ | |
| 135 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) | |
| 136 | |
| 130 | 137 |
| 131 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, | 138 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
| 132 ngx_str_t *s); | 139 ngx_str_t *s); |
| 133 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | 140 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, |
| 134 ngx_str_t *s); | 141 ngx_str_t *s); |