[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

Maxim Dounin mdounin at mdounin.ru
Tue Sep 18 07:43:55 UTC 2012


On Sat, Sep 15, 2012 at 07:52:30AM -0400, mk.fg wrote:

> Re-post of patch from
> http://forum.nginx.org/read.php?2,228761,229586#msg-229586
> Updated version of the patch in the original thread haven't received any new
> attention, it seems, and I've received several inquiries now about the
> status of this work, so this thread is basically an attempt to draw more
> attention to this patch.
> Use-case is the same as before - enable CA-chain validation in the
> application only - but with all non-CA-chain validation handled by nginx, so
> it won't be necessary to duplicate (and possibly mess-up) these details
> (handled by openssl) in application code.

You may want to join discussion here, about the similar patch 


In particular, I would like someone to actually test if the 
error_page 495 aproach works instead as suggested here:


And a quick comment for your patch: I tend to think that 
introduction of ngx_http_ssl_variable_get_client_verify() is 
misleading.  We shouldn't try to claim the certificate was 
verified unless it actually was.

Maxim Dounin

More information about the nginx mailing list