Hello,

Proposed patch enables use-case scenario when Nginx asks Client for TLS certificate but does not make any attempt to validate it, passing it to the application instead. Application itself if then free to decide whether provided certificate is valid and is able to reject it with the same http status codes as Nginx does.

Same use-case is also referenced in "http://forum.nginx.org/read.php?2,15584" and is *critical* for implementing protocols like WebID (http://www.w3.org/wiki/WebID), which relies on custom TLS certificates, which are signed with keys which are unknown in advance.
With the patch, that can be accomplished by specifying "ssl_verify_client pass_only;" ("ssl_client_certificate" is *not* used in this case) and using "uwsgi_param X_CLIENT_CERT $ssl_client_raw_cert;" (or similar options for different backends).

Currently, Nginx supports "off", "on" and "optional" parameters to "ssl_verify_client" option, latter of which ("on" and "optional") require CA certificate (specified with "ssl_client_certificate" option) and perform mandatory check against it if client provides certificate.
"optional" parameter seem to allow client to skip providing the certificate, but still requires CA certificate and performs the check (if client provides the cert), returning http status 495 if validation against that CA fails.
So there is currently no way to require client certificate but perform it's validation in application (or on whatever backend) only, hence the patch.

Please consider merging the patch into nginx codebase, enabling aforementioned use-case in some other way, or at least commenting on why it might be wrong or unsuitable approach/feature (if only to block further proposals in the same vein).

Patch is made on top of current (as of 07.2012) svn trunk.
In case forum interface mangles the inline attachment, it can also be found on the following URL: https://raw.github.com/gist/3146701/


From 0ade221a2dbaeedfa5255875a89485166221a6f0 Mon Sep 17 00:00:00 2001
From: Mike Kazantsev <mk.fraggod@gmail.com>
Date: Fri, 20 Jul 2012 02:45:10 +0600
Subject: [PATCH] Add "pass_only" option to ssl_verify_client to enable
app-only validation

---
src/http/modules/ngx_http_ssl_module.c | 3 ++-
src/http/ngx_http_request.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index d759489..4435435 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t ngx_http_ssl_verify[] = {
{ ngx_string("off"), 0 },
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
+ { ngx_string("pass_only"), 3 },
{ ngx_null_string, 0 }
};

@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

if (conf->verify) {

- if (conf->client_certificate.len == 0) {
+ if (conf->verify != 3 && conf->client_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 26420b1..11373dc 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1631,7 +1631,7 @@ ngx_http_process_request(ngx_http_request_t *r)

sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);

- if (sscf->verify) {
+ if (sscf->verify && sscf->verify != 3) {
rc = SSL_get_verify_result(c->ssl->connection);

if (rc != X509_V_OK) {
--
1.7.10.4