From b6dc93430220590944f480dabb1bdd49a504f663 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Fri, 28 Sep 2012 17:55:37 +0200 Subject: [PATCH] DOC: ssl: add 'ca-ignore-err' and 'crt-ignore-err' statements on 'bind' --- doc/configuration.txt | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 48a6b98b0..9cc77d0d8 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6747,6 +6747,12 @@ cafile designates a PEM file from which to load CA certificates used to verify client's certificate. +ca-ignore-err [all|,...] + This setting is only available when support for OpenSSL was built in. + Sets a comma separated list of errorIDs to ignore during verify at depth > 0. + If set to 'all', all errors are ignored. SSL handshake is not aborted if an + error is ignored. + ciphers This setting is only available when support for OpenSSL was built in. It sets the string describing the list of cipher algorithms ("cipher suite") that are @@ -6778,6 +6784,12 @@ crt a directory, it is highly recommended to load the default one first as a file. Note that the same cert may be loaded multiple times without side effects. +crt-ignore-err + This setting is only available when support for OpenSSL was built in. + Sets a comma separated list of errorIDs to ignore during verify at depth == 0. + If set to 'all', all errors are ignored. SSL handshake is not abored if an + error is ignored. + defer-accept Is an optional keyword which is supported only on certain Linux kernels. It states that a connection will only be accepted once some data arrive on it, @@ -6937,7 +6949,8 @@ verify [none|optional|required] handshake is aborted, while it would have succeeded if set to 'optional'. The certificate provided by the client is always verified using CAs from 'cafile' and optional CRLs from 'crlfile'. On verify failure the handshake is aborted, - regardless of the 'verify' option. + regardless of the 'verify' option, unless the error code exactly matches one + of those listed with 'ca-ignore-err' or 'crt-ignore-err'. 5.2. Server and default-server options ------------------------------------