Created
August 10, 2012 23:52
-
-
Save mk-fg/3319062 to your computer and use it in GitHub Desktop.
ssl_optional_no_ca.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 29456da2042759c7e8a0c18671b798eab0d2b860 | |
Author: Mike Kazantsev <mk.fraggod@gmail.com> | |
Date: Sat Sep 22 16:30:02 2012 +0600 | |
Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation | |
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h | |
index cd6d885..97da051 100644 | |
--- a/src/event/ngx_event_openssl.h | |
+++ b/src/event/ngx_event_openssl.h | |
@@ -141,6 +141,14 @@ ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, | |
ngx_str_t *s); | |
+#define ngx_ssl_verify_error_is_optional(errnum) \ | |
+ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ | |
+ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ | |
+ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ | |
+ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ | |
+ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) | |
+ | |
+ | |
ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); | |
ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); | |
ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); | |
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c | |
index d759489..ab91670 100644 | |
--- a/src/http/modules/ngx_http_ssl_module.c | |
+++ b/src/http/modules/ngx_http_ssl_module.c | |
@@ -48,6 +48,7 @@ static ngx_conf_enum_t ngx_http_ssl_verify[] = { | |
{ ngx_string("off"), 0 }, | |
{ ngx_string("on"), 1 }, | |
{ ngx_string("optional"), 2 }, | |
+ { ngx_string("optional_no_ca"), 3 }, | |
{ ngx_null_string, 0 } | |
}; | |
@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | |
if (conf->verify) { | |
- if (conf->client_certificate.len == 0) { | |
+ if (conf->verify != 3 && conf->client_certificate.len == 0) { | |
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
"no ssl_client_certificate for ssl_client_verify"); | |
return NGX_CONF_ERROR; | |
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c | |
index cb970c5..96cec55 100644 | |
--- a/src/http/ngx_http_request.c | |
+++ b/src/http/ngx_http_request.c | |
@@ -1642,7 +1642,9 @@ ngx_http_process_request(ngx_http_request_t *r) | |
if (sscf->verify) { | |
rc = SSL_get_verify_result(c->ssl->connection); | |
- if (rc != X509_V_OK) { | |
+ if ((sscf->verify != 3 && rc != X509_V_OK) | |
+ || !(sscf->verify == 3 && ngx_ssl_verify_error_is_optional(rc))) | |
+ { | |
ngx_log_error(NGX_LOG_INFO, c->log, 0, | |
"client SSL certificate verify error: (%l:%s)", | |
rc, X509_verify_cert_error_string(rc)); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment