Maxim Dounin
September 18, 2012 03:46AM
Hello!

On Sat, Sep 15, 2012 at 07:52:30AM -0400, mk.fg wrote:

> Re-post of patch from
> http://forum.nginx.org/read.php?2,228761,229586#msg-229586
> Updated version of the patch in the original thread haven't received any new
> attention, it seems, and I've received several inquiries now about the
> status of this work, so this thread is basically an attempt to draw more
> attention to this patch.
>
> Use-case is the same as before - enable CA-chain validation in the
> application only - but with all non-CA-chain validation handled by nginx, so
> it won't be necessary to duplicate (and possibly mess-up) these details
> (handled by openssl) in application code.

You may want to join discussion here, about the similar patch
submitted:

http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002643.html

In particular, I would like someone to actually test if the
error_page 495 aproach works instead as suggested here:

http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002650.html

And a quick comment for your patch: I tend to think that
introduction of ngx_http_ssl_variable_get_client_verify() is
misleading. We shouldn't try to claim the certificate was
verified unless it actually was.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

mk.fg September 15, 2012 07:52AM

Re: [PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

elf-pavlik September 15, 2012 08:07AM

Re: [PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

Maxim Dounin September 18, 2012 03:46AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 283
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready