[RFC][PATCH 0/1] Add option to use directory for trusted CAs
eero.aaltonen at vaisala.com
eero.aaltonen at vaisala.com
Fri Jul 7 15:02:14 UTC 2023
From: Eero Aaltonen <eero.aaltonen at vaisala.com>
I was looking for an option to configure the trusted CAs using a directory,
equivalent to the OpenSSL -CApath option. The option seemed to be missing, so
here's a minimal working example of what I would like to accomplish.
The current version is still missing code to populate the list used for
SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain
using CAs in the 'ssl_client_ca_dir' specified directory.
Comments appreciated.
--
Eero
Eero Aaltonen (1):
WIP: SSL: add ssl_client_ca_dir option for trusted CAs
src/event/ngx_event_openssl.c | 24 +++++++++++++++++-------
src/event/ngx_event_openssl.h | 2 +-
src/http/modules/ngx_http_grpc_module.c | 1 +
src/http/modules/ngx_http_proxy_module.c | 1 +
src/http/modules/ngx_http_ssl_module.c | 15 +++++++++++++--
src/http/modules/ngx_http_ssl_module.h | 1 +
src/http/modules/ngx_http_uwsgi_module.c | 1 +
src/mail/ngx_mail_ssl_module.c | 5 +++--
src/stream/ngx_stream_proxy_module.c | 1 +
src/stream/ngx_stream_ssl_module.c | 5 +++--
src/stream/ngx_stream_ssl_module.h | 1 +
11 files changed, 43 insertions(+), 14 deletions(-)
--
2.25.1
More information about the nginx-devel
mailing list