# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1352803336 0
# Node ID c3b276283e4a08372a7bd3c9ee61dcde88ce02e4
# Parent  dcbb7989b5b56e9b9a9e897a4842dccf9413bbe1
Merge of r4885: ssl_verify_client optional_no_ca.

SSL: the "ssl_verify_client" directive parameter "optional_no_ca".

This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.

diff -r dcbb7989b5b5 -r c3b276283e4a src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Nov 12 18:47:07 2012 +0000
+++ b/src/event/ngx_event_openssl.h	Tue Nov 13 10:42:16 2012 +0000
@@ -120,6 +120,13 @@
 #define ngx_ssl_get_server_conf(ssl_ctx)                                      \
     SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)
 
+#define ngx_ssl_verify_error_optional(n)                                      \
+    (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT                              \
+     || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN                             \
+     || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY                     \
+     || n == X509_V_ERR_CERT_UNTRUSTED                                        \
+     || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
+
 
 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
diff -r dcbb7989b5b5 -r c3b276283e4a src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Mon Nov 12 18:47:07 2012 +0000
+++ b/src/http/modules/ngx_http_ssl_module.c	Tue Nov 13 10:42:16 2012 +0000
@@ -48,6 +48,7 @@
     { ngx_string("off"), 0 },
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
+    { ngx_string("optional_no_ca"), 3 },
     { ngx_null_string, 0 }
 };
 
@@ -466,7 +467,7 @@
 
     if (conf->verify) {
 
-        if (conf->client_certificate.len == 0) {
+        if (conf->client_certificate.len == 0 && conf->verify != 3) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for ssl_client_verify");
             return NGX_CONF_ERROR;
diff -r dcbb7989b5b5 -r c3b276283e4a src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c	Mon Nov 12 18:47:07 2012 +0000
+++ b/src/http/ngx_http_request.c	Tue Nov 13 10:42:16 2012 +0000
@@ -1634,7 +1634,9 @@
         if (sscf->verify) {
             rc = SSL_get_verify_result(c->ssl->connection);
 
-            if (rc != X509_V_OK) {
+            if (rc != X509_V_OK
+                && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+            {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));