Hello Nginx,

This patch adds a "ssl_verify_client no_verify;" option that triggers
a client to upload a certificate, but does not throw an exception when
that certificate does not validate. It also allows
"ssl_client_certificate" to not exist when this option is specified.

This is useful for our company's application where we would like to do
SSL client authentication on an application server.

Any feedback is welcome.

~ Eric O'Connor

---
src/http/modules/ngx_http_ssl_module.c | 3 ++-
src/http/ngx_http_request.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/http/modules/ngx_http_ssl_module.c
b/src/http/modules/ngx_http_ssl_module.c
index d759489..fede8e0 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t ngx_http_ssl_verify[] = {
{ ngx_string("off"), 0 },
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
+ { ngx_string("no_verify"), 3 },
{ ngx_null_string, 0 }
};

@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void
*parent, void *child)

if (conf->verify) {

- if (conf->client_certificate.len == 0) {
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for
ssl_client_verify");
return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index c104db1..5d02683 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1634,7 +1634,7 @@ ngx_http_process_request(ngx_http_request_t *r)
if (sscf->verify) {
rc = SSL_get_verify_result(c->ssl->connection);

- if (rc != X509_V_OK) {
+ if (sscf->verify != 3 && rc != X509_V_OK) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error:
(%l:%s)",
rc, X509_verify_cert_error_string(rc));
--


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel