[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 18 07:43:55 UTC 2012
Hello!
On Sat, Sep 15, 2012 at 07:52:30AM -0400, mk.fg wrote:
> Re-post of patch from
> http://forum.nginx.org/read.php?2,228761,229586#msg-229586
> Updated version of the patch in the original thread haven't received any new
> attention, it seems, and I've received several inquiries now about the
> status of this work, so this thread is basically an attempt to draw more
> attention to this patch.
>
> Use-case is the same as before - enable CA-chain validation in the
> application only - but with all non-CA-chain validation handled by nginx, so
> it won't be necessary to duplicate (and possibly mess-up) these details
> (handled by openssl) in application code.
You may want to join discussion here, about the similar patch
submitted:
http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002643.html
In particular, I would like someone to actually test if the
error_page 495 aproach works instead as suggested here:
http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002650.html
And a quick comment for your patch: I tend to think that
introduction of ngx_http_ssl_variable_get_client_verify() is
misleading. We shouldn't try to claim the certificate was
verified unless it actually was.
Maxim Dounin
More information about the nginx
mailing list