This parameter requires the client certificate but does not require it to be
signed by a trusted CA certificate.
# HG changeset patch
# User Evgenia Titova <zhenyatito...@gmail.com>
# Date 1639309072 -10800
# Sun Dec 12 14:37:52 2021 +0300
# Node ID f65a12913829b4032c390e16bafcefb7efdf27f4
# Parent a7a77549265ef46f1f0fdb3897f4beabf9e09c40
on_no_ca parameter added to ssl_verify_client directive.
This parameter requires the client certificate but does not require it to be signed by a trusted CA certificate.
diff -r a7a77549265e -r f65a12913829 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Sun Dec 12 14:37:52 2021 +0300
@@ -70,6 +70,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("on_no_ca"), 4 },
{ ngx_null_string, 0 }
};
@@ -796,7 +797,7 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0 && conf->verify != 3 && conf->verify != 4) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
@@ -825,10 +826,11 @@
if (conf->ocsp) {
- if (conf->verify == 3) {
+ if (conf->verify == 3 || conf->verify == 4) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"\"ssl_ocsp\" is incompatible with "
- "\"ssl_verify_client optional_no_ca\"");
+ "\"ssl_verify_client optional_no_ca\" or "
+ "\"ssl_verify_client on_no_ca\"");
return NGX_CONF_ERROR;
}
diff -r a7a77549265e -r f65a12913829 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/http/ngx_http_request.c Sun Dec 12 14:37:52 2021 +0300
@@ -2057,7 +2057,7 @@
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sscf->verify == 1 || sscf->verify == 2 || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -2070,7 +2070,7 @@
return;
}
- if (sscf->verify == 1) {
+ if (sscf->verify == 1 || sscf->verify == 4) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
diff -r a7a77549265e -r f65a12913829 src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/mail/ngx_mail_handler.c Sun Dec 12 14:37:52 2021 +0300
@@ -401,7 +401,7 @@
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sslcf->verify == 1 || sslcf->verify == 2 || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -421,7 +421,7 @@
return NGX_ERROR;
}
- if (sslcf->verify == 1) {
+ if (sslcf->verify == 1 || sslcf->verify == 4) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
diff -r a7a77549265e -r f65a12913829 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Sun Dec 12 14:37:52 2021 +0300
@@ -61,6 +61,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("on_no_ca"), 4 },
{ ngx_null_string, 0 }
};
@@ -468,7 +469,7 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0 && conf->verify != 3 && conf->verify != 4) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
diff -r a7a77549265e -r f65a12913829 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Sun Dec 12 14:37:52 2021 +0300
@@ -76,6 +76,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("on_no_ca"), 4 },
{ ngx_null_string, 0 }
};
@@ -360,7 +361,7 @@
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sslcf->verify == 1 || sslcf->verify == 2 || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -371,7 +372,7 @@
return NGX_ERROR;
}
- if (sslcf->verify == 1) {
+ if (sslcf->verify == 1 || sslcf->verify == 4) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
@@ -831,7 +832,7 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0 && conf->verify != 3 && conf->verify != 4) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
