We have our own independent CA hierarchy, complete with client
certificates for servers and staff. When a server (or staff member) is
repurposed or decommissioned, we need to be able to revoke their
certificate - we do this by maintaining sets of CRLs.
Unfortunately, due to flaws in this hierarchy, getting a complete CRL
chain for each CA we have is difficult. This means client certs we would
consider valid are rejected as Nginx sets 'X509_V_FLAG_CRL_CHECK_ALL' on
the X509 store when the 'ssl_crl' directive is used. In the Apache world
we get around this by using the 'SSLCARevocationCheck leaf' option.
It would be nice to be able to control this flag, if only to work around
broken CRL chains.
I've noticed a variant of this problem has been discussed before (see trac
issue #1094 and "[PATCH] SSL: Added crl_check_mode", March 2017) and a
patch submitted. Before I knew of this, I wrote my own, roughly equivalent
patch (see attached). I haven't explicitly tested the stream or mail
changes, but the test suite does pass with these modules+ssl enabled.
Is there any possibility of having one of these patches incorporated?
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
Hello, in another of my experiments I would like to redirect to a
completely different website the request, I had a look at the proxy_pass
directive and the corresponding module, and I see that a location handler
is set, which means it will hook as the only content handler. My question
is, could I do the same as proxy_pass dinamically and not at config time?
For example in the rewrite phase as you would do with the