[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

[Eric O'Connor]

Great!

Here is a short [English] documentation patch to match. Unfortunately,
I do not speak Russian. Извините.

Index: xml/en/docs/http/ngx_http_ssl_module.xml
===================================================================
--- xml/en/docs/http/ngx_http_ssl_module.xml	(revision 701)
+++ xml/en/docs/http/ngx_http_ssl_module.xml	(working copy)
@@ -481,7 +481,7 @@
 <directive name="ssl_verify_client">
 <syntax>
     <literal>on</literal> | <literal>off</literal> |
-    <literal>optional</literal></syntax>
+    <literal>optional</literal> | <literal>optional_no_ca</literal></syntax>
 <default>off</default>
 <context>http</context>
 <context>server</context>
@@ -490,6 +490,10 @@
 Enables the client certificate verification.
 The <literal>optional</literal> parameter (0.8.7+) requests the client
 certificate and verifies it if it was present.
+The <literal>optional_no_ca</literal> parameter (1.3.7) requests the client
+certificate but performs no certificate chain verification. This is intended
+to be used with a <link doc="ngx_http_proxy_module.xml"
id="proxy_set_header"/> directive to
+pass the $ssl_client_cert variable to a server that performs verification.
 The result of verification is stored in the
 <var>$ssl_client_verify</var> variable.
 </para>

On Wed, Oct 3, 2012 at 11:27 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Thu, Sep 27, 2012 at 12:30:29PM -0400, Eric O'Connor wrote:
>
>> Here is a modified patch addressing issues that Maxim brought up earlier:
>>
>> diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
>> index cd6d885..97da051 100644
>> --- a/src/event/ngx_event_openssl.h
>> +++ b/src/event/ngx_event_openssl.h
>> @@ -141,6 +141,14 @@ ngx_int_t
>> ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
>>      ngx_str_t *s);
>
> [...]
>
> Patch committed, thanks.
>
> --
> Maxim Dounin
> http://nginx.com/support.html