Hello! On Fri, Jul 07, 2023 at 06:02:14PM +0300, Eero Aaltonen via nginx-devel wrote:
> From: Eero Aaltonen <eero.aalto...@vaisala.com> > > I was looking for an option to configure the trusted CAs using a directory, > equivalent to the OpenSSL -CApath option. The option seemed to be missing, so > here's a minimal working example of what I would like to accomplish. > > The current version is still missing code to populate the list used for > SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain > using CAs in the 'ssl_client_ca_dir' specified directory. > > Comments appreciated. The option to configure CAs using a directory is missing intentionally, as loading relevant CA certificates into memory is expected to be more efficient than checking things on disk on each connection. If you are nevertheless interested in configuring a directory, consider using ssl_conf_command with VerifyCAPath/ClientCAPath (https://nginx.org/r/ssl_conf_command, https://nginx.org/r/proxy_ssl_conf_command)). -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
