[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation
Ruslan Ermilov
ru at nginx.com
Mon Oct 8 14:49:31 UTC 2012
On Wed, Oct 03, 2012 at 12:55:15PM -0400, Eric O'Connor wrote:
> Great!
>
> Here is a short [English] documentation patch to match. Unfortunately,
> I do not speak Russian. Извините.
Here's the cleaned up version:
%%%
Index: ngx_http_ssl_module.xml
===================================================================
--- ngx_http_ssl_module.xml (revision 712)
+++ ngx_http_ssl_module.xml (working copy)
@@ -10,7 +10,7 @@
<module name="Module ngx_http_ssl_module"
link="/en/docs/http/ngx_http_ssl_module.html"
lang="en"
- rev="2">
+ rev="3">
<section id="summary">
@@ -481,7 +481,7 @@
<directive name="ssl_verify_client">
<syntax>
<literal>on</literal> | <literal>off</literal> |
- <literal>optional</literal></syntax>
+ <literal>optional</literal> | <literal>optional_no_ca</literal></syntax>
<default>off</default>
<context>http</context>
<context>server</context>
@@ -490,6 +490,12 @@
Enables the client certificate verification.
The <literal>optional</literal> parameter (0.8.7+) requests the client
certificate and verifies it if it was present.
+The <literal>optional_no_ca</literal> parameter (1.3.7) requests the client
+certificate but performs no certificate chain verification.
+This is intended to be used with a
+<link doc="ngx_http_proxy_module.xml" id="proxy_set_header"/> directive
+to pass the <var>$ssl_client_cert</var> variable to a server that performs
+verification.
The result of verification is stored in the
<var>$ssl_client_verify</var> variable.
</para>
%%%
More information about the nginx-devel
mailing list