mk-fg/gist:3319062

## gistfile1.diff
commit 29456da2042759c7e8a0c18671b798eab0d2b860
Author: Mike Kazantsev <mk.fraggod@gmail.com>
Date:   Sat Sep 22 16:30:02 2012 +0600

    Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index cd6d885..97da051 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -141,6 +141,14 @@ ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);


+#define ngx_ssl_verify_error_is_optional(errnum) \
+   ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
+    || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
+    || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
+    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
+    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+
+
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size);
 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size);
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index d759489..ab91670 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
     { ngx_string("off"), 0 },
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
+    { ngx_string("optional_no_ca"), 3 },
     { ngx_null_string, 0 }
 };

@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

     if (conf->verify) {

-        if (conf->client_certificate.len == 0) {
+        if (conf->verify != 3 && conf->client_certificate.len == 0) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for ssl_client_verify");
             return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index cb970c5..96cec55 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1642,7 +1642,9 @@ ngx_http_process_request(ngx_http_request_t *r)
         if (sscf->verify) {
             rc = SSL_get_verify_result(c->ssl->connection);

-            if (rc != X509_V_OK) {
+            if ((sscf->verify != 3 && rc != X509_V_OK)
+                || !(sscf->verify == 3 && ngx_ssl_verify_error_is_optional(rc)))
+            {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
	commit 29456da2042759c7e8a0c18671b798eab0d2b860
	Author: Mike Kazantsev <mk.fraggod@gmail.com>
	Date: Sat Sep 22 16:30:02 2012 +0600

	Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

	diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
	index cd6d885..97da051 100644
	--- a/src/event/ngx_event_openssl.h
	+++ b/src/event/ngx_event_openssl.h
	@@ -141,6 +141,14 @@ ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t c, ngx_pool_t pool,
	ngx_str_t *s);


	+#define ngx_ssl_verify_error_is_optional(errnum) \
	+ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
	+ \|\| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
	+ \|\| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
	+ \|\| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
	+ \|\| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
	+
	+
	ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
	ssize_t ngx_ssl_recv(ngx_connection_t c, u_char buf, size_t size);
	ssize_t ngx_ssl_write(ngx_connection_t c, u_char data, size_t size);
	diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
	index d759489..ab91670 100644
	--- a/src/http/modules/ngx_http_ssl_module.c
	+++ b/src/http/modules/ngx_http_ssl_module.c
	@@ -48,6 +48,7 @@ static ngx_conf_enum_t ngx_http_ssl_verify[] = {
	{ ngx_string("off"), 0 },
	{ ngx_string("on"), 1 },
	{ ngx_string("optional"), 2 },
	+ { ngx_string("optional_no_ca"), 3 },
	{ ngx_null_string, 0 }
	};

	@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t cf, void parent, void *child)

	if (conf->verify) {

	- if (conf->client_certificate.len == 0) {
	+ if (conf->verify != 3 && conf->client_certificate.len == 0) {
	ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
	"no ssl_client_certificate for ssl_client_verify");
	return NGX_CONF_ERROR;
	diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
	index cb970c5..96cec55 100644
	--- a/src/http/ngx_http_request.c
	+++ b/src/http/ngx_http_request.c
	@@ -1642,7 +1642,9 @@ ngx_http_process_request(ngx_http_request_t *r)
	if (sscf->verify) {
	rc = SSL_get_verify_result(c->ssl->connection);

	- if (rc != X509_V_OK) {
	+ if ((sscf->verify != 3 && rc != X509_V_OK)
	+ \|\| !(sscf->verify == 3 && ngx_ssl_verify_error_is_optional(rc)))
	+ {
	ngx_log_error(NGX_LOG_INFO, c->log, 0,
	"client SSL certificate verify error: (%l:%s)",
	rc, X509_verify_cert_error_string(rc));