From: Eero Aaltonen <eero.aaltonen@vaisala.com>

I was looking for an option to configure the trusted CAs using a directory,
equivalent to the OpenSSL -CApath option. The option seemed to be missing, so
here's a minimal working example of what I would like to accomplish.

The current version is still missing code to populate the list used for
SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain
using CAs in the 'ssl_client_ca_dir' specified directory.

Comments appreciated.

--
Eero

Eero Aaltonen (1):
WIP: SSL: add ssl_client_ca_dir option for trusted CAs

src/event/ngx_event_openssl.c | 24 +++++++++++++++++-------
src/event/ngx_event_openssl.h | 2 +-
src/http/modules/ngx_http_grpc_module.c | 1 +
src/http/modules/ngx_http_proxy_module.c | 1 +
src/http/modules/ngx_http_ssl_module.c | 15 +++++++++++++--
src/http/modules/ngx_http_ssl_module.h | 1 +
src/http/modules/ngx_http_uwsgi_module.c | 1 +
src/mail/ngx_mail_ssl_module.c | 5 +++--
src/stream/ngx_stream_proxy_module.c | 1 +
src/stream/ngx_stream_ssl_module.c | 5 +++--
src/stream/ngx_stream_ssl_module.h | 1 +
11 files changed, 43 insertions(+), 14 deletions(-)

--
2.25.1
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel