[PATCH] on_no_ca parameter added to ssl_verify_client directive

Maxim Dounin mdounin at mdounin.ru
Mon Dec 13 02:53:09 UTC 2021


Hello!

On Sun, Dec 12, 2021 at 03:51:50PM +0300, Evgenia Titova wrote:

> # HG changeset patch
> # User Evgenia Titova <zhenyatitoova at gmail.com>
> # Date 1639309072 -10800
> #      Sun Dec 12 14:37:52 2021 +0300
> # Node ID f65a12913829b4032c390e16bafcefb7efdf27f4
> # Parent  a7a77549265ef46f1f0fdb3897f4beabf9e09c40
> on_no_ca parameter added to ssl_verify_client directive.
> 
> This parameter requires the client certificate but does not require it to be signed by a trusted CA certificate.
> 
> diff -r a7a77549265e -r f65a12913829 src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c	Thu Nov 25 22:02:10 2021 +0300
> +++ b/src/http/modules/ngx_http_ssl_module.c	Sun Dec 12 14:37:52 2021 +0300
> @@ -70,6 +70,7 @@
>      { ngx_string("on"), 1 },
>      { ngx_string("optional"), 2 },
>      { ngx_string("optional_no_ca"), 3 },
> +    { ngx_string("on_no_ca"), 4 },
>      { ngx_null_string, 0 }
>  };
>  

Thanks you for the patch.

You may want to be more specific on how it is expected to be used 
and why existing options are not enough.  Quick look suggests that 
"optional_no_ca" with additional $ssl_client_verify and/or 
$ssl_client_cert tests should do the same.  Given that 
"optional_no_ca" anyway implies $ssl_client_cert verification by 
an external service, it is not clear why the new mode should be 
needed.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list