[PATCH] Add a no_verify option for SSL client authentication

Eric O'Connor eoconnor at coincident.com
Mon Aug 20 14:48:02 UTC 2012


> If I understand your message correctly, you've got a load balancer (or
> something similar) in front of nginx that already verifies the certificates.
> You simply don't want nginx to do all the double checking, or maybe you just
> don't want to store the keys on an application server.

We are performing certificate verification behind nginx (based on the
encoded certificate passed in an HTTP header over localhost).

> A patch such as the one you supplied would be a major security hole (for
> those who don't know what they're doing, which nowadays is most people)

But anyone that is implementing ssl client authentication understands
the value of verifying the certificates.

Eric



More information about the nginx-devel mailing list