Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4884:e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 03 Oct 2012 15:24:08 +0000 |
parents | 4a804fd04e6c |
children | 4b4f4cea6dfb |
comparison
equal
deleted
inserted
replaced
4883:f7443eeb3536 | 4884:e406c997470a |
---|---|
48 | 48 |
49 static ngx_conf_enum_t ngx_http_ssl_verify[] = { | 49 static ngx_conf_enum_t ngx_http_ssl_verify[] = { |
50 { ngx_string("off"), 0 }, | 50 { ngx_string("off"), 0 }, |
51 { ngx_string("on"), 1 }, | 51 { ngx_string("on"), 1 }, |
52 { ngx_string("optional"), 2 }, | 52 { ngx_string("optional"), 2 }, |
53 { ngx_string("optional_no_ca"), 3 }, | |
53 { ngx_null_string, 0 } | 54 { ngx_null_string, 0 } |
54 }; | 55 }; |
55 | 56 |
56 | 57 |
57 static ngx_command_t ngx_http_ssl_commands[] = { | 58 static ngx_command_t ngx_http_ssl_commands[] = { |
513 &conf->ciphers); | 514 &conf->ciphers); |
514 } | 515 } |
515 | 516 |
516 if (conf->verify) { | 517 if (conf->verify) { |
517 | 518 |
518 if (conf->client_certificate.len == 0) { | 519 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
519 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 520 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
520 "no ssl_client_certificate for ssl_client_verify"); | 521 "no ssl_client_certificate for ssl_client_verify"); |
521 return NGX_CONF_ERROR; | 522 return NGX_CONF_ERROR; |
522 } | 523 } |
523 | 524 |