diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-10-03 15:24:08 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-10-03 15:24:08 +0000 |
| commit | c846871ce106e0fbe4c27a48a4c3378f18cd03f8 (patch) | |
| tree | 671f9b27b80721d8e194e6450776cb54297a0f6b /src/event | |
| parent | f8cc8969d52211530c0eba3d28e0cb03d4f958b3 (diff) | |
| download | nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.tar.gz nginx-c846871ce106e0fbe4c27a48a4c3378f18cd03f8.tar.bz2 | |
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
Diffstat (limited to 'src/event')
| -rw-r--r-- | src/event/ngx_event_openssl.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index d1fb5739f..bf81d2529 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -127,6 +127,13 @@ ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); #define ngx_ssl_get_server_conf(ssl_ctx) \ SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) +#define ngx_ssl_verify_error_optional(n) \ + (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ + || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ + || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ + || n == X509_V_ERR_CERT_UNTRUSTED \ + || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) + ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); |