Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 4884:e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 03 Oct 2012 15:24:08 +0000 |
| parents | 4e842583c890 |
| children | 1e666c78a42c |
comparison
equal
deleted
inserted
replaced
| 4883:f7443eeb3536 | 4884:e406c997470a |
|---|---|
| 1640 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); | 1640 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); |
| 1641 | 1641 |
| 1642 if (sscf->verify) { | 1642 if (sscf->verify) { |
| 1643 rc = SSL_get_verify_result(c->ssl->connection); | 1643 rc = SSL_get_verify_result(c->ssl->connection); |
| 1644 | 1644 |
| 1645 if (rc != X509_V_OK) { | 1645 if (rc != X509_V_OK |
| 1646 && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) | |
| 1647 { | |
| 1646 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 1648 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
| 1647 "client SSL certificate verify error: (%l:%s)", | 1649 "client SSL certificate verify error: (%l:%s)", |
| 1648 rc, X509_verify_cert_error_string(rc)); | 1650 rc, X509_verify_cert_error_string(rc)); |
| 1649 | 1651 |
| 1650 ngx_ssl_remove_cached_session(sscf->ssl.ctx, | 1652 ngx_ssl_remove_cached_session(sscf->ssl.ctx, |