Mercurial > hg > nginx
diff src/http/ngx_http_request.c @ 4884:e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 03 Oct 2012 15:24:08 +0000 |
parents | 4e842583c890 |
children | 1e666c78a42c |
line wrap: on
line diff
--- a/src/http/ngx_http_request.c Wed Oct 03 15:22:18 2012 +0000 +++ b/src/http/ngx_http_request.c Wed Oct 03 15:24:08 2012 +0000 @@ -1642,7 +1642,9 @@ if (sscf->verify) { rc = SSL_get_verify_result(c->ssl->connection); - if (rc != X509_V_OK) { + if (rc != X509_V_OK + && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) + { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client SSL certificate verify error: (%l:%s)", rc, X509_verify_cert_error_string(rc));