git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Emeric Brun <ebrun@exceliance.fr>
	Fri, 21 Sep 2012 12:31:21 +0000 (14:31 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 2 Oct 2012 06:32:50 +0000 (08:32 +0200)
commit	81c00f0a7a148e2bdf6f7ffc2fda9c7cf8e233cc
tree	e0975d9ad96e39ee0b7bcbc8dbee9ba15b4afacf	tree \| snapshot
parent	b4354087ee4865c8c19072fa82f26a2409d635cc	commit \| diff

MINOR: ssl: add ignore verify errors options

Allow to ignore some verify errors and to let them pass the handshake.

Add option 'crt-ignore-err <list>'
Ignore verify errors at depth == 0 (client certificate)
<list> is string 'all' or a comma separated list of verify error IDs
(see http://www.openssl.org/docs/apps/verify.html)

Add option 'ca-ignore-err <list>'
Same as 'crt-ignore-err' for all depths > 0 (CA chain certs)

Ex ignore all errors on CA and expired or not-yet-valid errors
on client certificate:

bind 0.0.0.0:443 ssl crt crt.pem verify required
cafile ca.pem ca-ignore-err all crt-ignore-err 10,9

include/types/listener.h		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history