[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

Ruslan Ermilov ru at nginx.com
Mon Oct 8 14:49:31 UTC 2012

On Wed, Oct 03, 2012 at 12:55:15PM -0400, Eric O'Connor wrote:
> Great!
> Here is a short [English] documentation patch to match. Unfortunately,
> I do not speak Russian. Извините.

Here's the cleaned up version:

Index: ngx_http_ssl_module.xml
--- ngx_http_ssl_module.xml	(revision 712)
+++ ngx_http_ssl_module.xml	(working copy)
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_ssl_module"
-        rev="2">
+        rev="3">
 <section id="summary">
@@ -481,7 +481,7 @@
 <directive name="ssl_verify_client">
     <literal>on</literal> | <literal>off</literal> |
-    <literal>optional</literal></syntax>
+    <literal>optional</literal> | <literal>optional_no_ca</literal></syntax>
@@ -490,6 +490,12 @@
 Enables the client certificate verification.
 The <literal>optional</literal> parameter (0.8.7+) requests the client
 certificate and verifies it if it was present.
+The <literal>optional_no_ca</literal> parameter (1.3.7) requests the client
+certificate but performs no certificate chain verification.
+This is intended to be used with a
+<link doc="ngx_http_proxy_module.xml" id="proxy_set_header"/> directive
+to pass the <var>$ssl_client_cert</var> variable to a server that performs
 The result of verification is stored in the
 <var>$ssl_client_verify</var> variable.

More information about the nginx-devel mailing list