[nginx] svn commit: r4905 - in branches/stable-1.2: . src/event src/http src/http/modules

mdounin at mdounin.ru mdounin at mdounin.ru
Tue Nov 13 10:42:17 UTC 2012


Author: mdounin
Date: 2012-11-13 10:42:16 +0000 (Tue, 13 Nov 2012)
New Revision: 4905
URL: http://trac.nginx.org/nginx/changeset/4905/nginx

Log:
Merge of r4885: ssl_verify_client optional_no_ca.

SSL: the "ssl_verify_client" directive parameter "optional_no_ca".

This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.


Modified:
   branches/stable-1.2/
   branches/stable-1.2/src/event/ngx_event_openssl.h
   branches/stable-1.2/src/http/modules/ngx_http_ssl_module.c
   branches/stable-1.2/src/http/ngx_http_request.c

Index: branches/stable-1.2
===================================================================
--- branches/stable-1.2	2012-11-12 18:47:07 UTC (rev 4904)
+++ branches/stable-1.2	2012-11-13 10:42:16 UTC (rev 4905)

Property changes on: branches/stable-1.2
___________________________________________________________________
Modified: svn:mergeinfo
## -1 +1 ##
-/trunk:4611-4632,4636-4657,4671-4672,4674-4676,4682,4684-4699,4704-4706,4713,4736-4741,4754,4756-4771,4775,4777-4780,4782-4785,4795,4811-4820,4822-4824,4828-4835,4840-4844,4865-4872,4890,4893,4895
+/trunk:4611-4632,4636-4657,4671-4672,4674-4676,4682,4684-4699,4704-4706,4713,4736-4741,4754,4756-4771,4775,4777-4780,4782-4785,4795,4811-4820,4822-4824,4828-4835,4840-4844,4865-4872,4885,4890,4893,4895
\ No newline at end of property
Modified: branches/stable-1.2/src/event/ngx_event_openssl.h
===================================================================
--- branches/stable-1.2/src/event/ngx_event_openssl.h	2012-11-12 18:47:07 UTC (rev 4904)
+++ branches/stable-1.2/src/event/ngx_event_openssl.h	2012-11-13 10:42:16 UTC (rev 4905)
@@ -120,7 +120,14 @@
 #define ngx_ssl_get_server_conf(ssl_ctx)                                      \
     SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)
 
+#define ngx_ssl_verify_error_optional(n)                                      \
+    (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT                              \
+     || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN                             \
+     || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY                     \
+     || n == X509_V_ERR_CERT_UNTRUSTED                                        \
+     || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
 
+
 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,

Modified: branches/stable-1.2/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- branches/stable-1.2/src/http/modules/ngx_http_ssl_module.c	2012-11-12 18:47:07 UTC (rev 4904)
+++ branches/stable-1.2/src/http/modules/ngx_http_ssl_module.c	2012-11-13 10:42:16 UTC (rev 4905)
@@ -48,6 +48,7 @@
     { ngx_string("off"), 0 },
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
+    { ngx_string("optional_no_ca"), 3 },
     { ngx_null_string, 0 }
 };
 
@@ -466,7 +467,7 @@
 
     if (conf->verify) {
 
-        if (conf->client_certificate.len == 0) {
+        if (conf->client_certificate.len == 0 && conf->verify != 3) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for ssl_client_verify");
             return NGX_CONF_ERROR;

Modified: branches/stable-1.2/src/http/ngx_http_request.c
===================================================================
--- branches/stable-1.2/src/http/ngx_http_request.c	2012-11-12 18:47:07 UTC (rev 4904)
+++ branches/stable-1.2/src/http/ngx_http_request.c	2012-11-13 10:42:16 UTC (rev 4905)
@@ -1634,7 +1634,9 @@
         if (sscf->verify) {
             rc = SSL_get_verify_result(c->ssl->connection);
 
-            if (rc != X509_V_OK) {
+            if (rc != X509_V_OK
+                && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+            {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));



More information about the nginx-devel mailing list