git.kaiwu.me - nginx.git/commit

author	Sergey Kandaurov <pluknet@nginx.com>
	Fri, 20 Sep 2024 10:08:42 +0000 (14:08 +0400)
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>
	Fri, 20 Sep 2024 10:43:00 +0000 (14:43 +0400)
commit	18afcda938cd2d4712d0d083b57161290a5a2d34
tree	928574fc116b7965e246f0408709acb902e9871c	tree \| snapshot
parent	1a64c196a7d43f83a14fec20ce8936e599c92865	commit \| diff

SSL: optional ssl_client_certificate for ssl_verify_client.

Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names.  In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version.  For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142).  Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed.  A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>

src/http/modules/ngx_http_ssl_module.c		diff \| blob \| history
src/mail/ngx_mail_ssl_module.c		diff \| blob \| history
src/stream/ngx_stream_ssl_module.c		diff \| blob \| history