(re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

Re-post of patch from

Updated version of the patch in the original thread haven’t received any
new
attention, it seems, and I’ve received several inquiries now about the
status of this work, so this thread is basically an attempt to draw more
attention to this patch.

Use-case is the same as before - enable CA-chain validation in the
application only - but with all non-CA-chain validation handled by
nginx, so
it won’t be necessary to duplicate (and possibly mess-up) these details
(handled by openssl) in application code.

For more details on reasoning behind the use-case and the previous
comments
on how it should be implemented, please see the original ‘[PATCH] Add
“pass_only” option to ssl_verify_client to enable app-only validation’
thread (linked for the web interface above).

Notes from original thread on the latest patch incarnation:

Option is now called “optional_no_ca”, as suggested, and allows to check
all
certificate parameters except for a trust chain. I’ve used
ssl_verify_error_is_optional macro (listing trust-chain related errors)
directly
from apache 2.4.2 codebase.

Note that since ngx_ssl_get_client_verify now has to access configuration,
which
is accessible from ngx_http_request_t, it wasn’t enough to pass
ngx_connection_t
to it, plus it was only used from ngx_http_ssl_module.c, so I’ve moved
the
modified version of it into ngx_http_ssl_module.c, to avoid having to
include
http-only stuff into ngx_event_openssl.c. If that was a bad idea, and
there’s a
need to keep that function generic (non-http-only), please suggest
whether
generic copy should just be kept in ngx_event_openssl.c, it’s signature
should
be extended to have http-specific options or maybe there should be
conditional
includes for http stuff.

URL for the patch: https://raw.github.com/gist/3319062/

(I’m not posting the patch inline here, because forum interface seem to
break it anyway, but it can also be found inline in the original thread)

Posted at Nginx Forum:

bumping +1

required for http://webid.info/
developed in W3C Community Group: WebID Community Group

Posted at Nginx Forum:

Hello!

On Sat, Sep 15, 2012 at 07:52:30AM -0400, mk.fg wrote:

(handled by openssl) in application code.
You may want to join discussion here, about the similar patch
submitted:

http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002643.html

In particular, I would like someone to actually test if the
error_page 495 aproach works instead as suggested here:

http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002650.html

And a quick comment for your patch: I tend to think that
introduction of ngx_http_ssl_variable_get_client_verify() is
misleading. We shouldn’t try to claim the certificate was
verified unless it actually was.

Maxim D.