[PATCH] Add a no_verify option for SSL client authentication

Eric O'Connor eoconnor at coincident.com
Sat Aug 18 15:48:09 UTC 2012


Hello Nginx,

This patch adds a "ssl_verify_client no_verify;" option that triggers
a client to upload a certificate, but does not throw an exception when
that certificate does not validate. It also allows
"ssl_client_certificate" to not exist when this option is specified.

This is useful for our company's application where we would like to do
SSL client authentication on an application server.

Any feedback is welcome.

~ Eric O'Connor

---
 src/http/modules/ngx_http_ssl_module.c |    3 ++-
 src/http/ngx_http_request.c            |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/http/modules/ngx_http_ssl_module.c
b/src/http/modules/ngx_http_ssl_module.c
index d759489..fede8e0 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
     { ngx_string("off"), 0 },
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
+    { ngx_string("no_verify"), 3 },
     { ngx_null_string, 0 }
 };

@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void
*parent, void *child)

     if (conf->verify) {

-        if (conf->client_certificate.len == 0) {
+        if (conf->client_certificate.len == 0 && conf->verify != 3) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for
ssl_client_verify");
             return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index c104db1..5d02683 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1634,7 +1634,7 @@ ngx_http_process_request(ngx_http_request_t *r)
         if (sscf->verify) {
             rc = SSL_get_verify_result(c->ssl->connection);

-            if (rc != X509_V_OK) {
+            if (sscf->verify != 3 && rc != X509_V_OK) {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error:
(%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
--




More information about the nginx-devel mailing list