--- modules/ssl.orig/mod_ssl.c 2008-05-17 15:50:14.000000000 -0400 +++ modules/ssl.orig/mod_ssl.c 2009-05-26 21:56:37.000000000 -0400 @@ -131,7 +131,7 @@ "(`/path/to/file' - PEM encoded)") SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client verify type " - "(`none', `optional', `require', `optional_no_ca')") + "(`none', `optional', `require', `optional_no_ca', `require_no_ca')") SSL_CMD_ALL(VerifyDepth, TAKE1, "SSL Client verify depth " "(`N' - number of intermediate certificates)") --- modules/ssl.orig/ssl_engine_config.c 2006-07-23 07:11:58.000000000 -0400 +++ modules/ssl.orig/ssl_engine_config.c 2009-05-26 22:01:24.000000000 -0400 @@ -909,6 +909,9 @@ else if (strcEQ(arg, "optional_no_ca")) { *id = SSL_CVERIFY_OPTIONAL_NO_CA; } + else if (strcEQ(arg, "require_no_ca")) { + *id = SSL_CVERIFY_REQUIRE_NO_CA; + } else { return apr_pstrcat(parms->temp_pool, parms->cmd->name, ": Invalid argument '", arg, "'", --- modules/ssl.orig/ssl_engine_init.c 2008-09-18 10:34:51.000000000 -0400 +++ modules/ssl.orig/ssl_engine_init.c 2009-05-26 23:27:10.000000000 -0400 @@ -501,7 +501,8 @@ /* * Configure callbacks for SSL context */ - if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) { + if ((mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) || + (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) { verify |= SSL_VERIFY_PEER_STRICT; } --- modules/ssl.orig/ssl_engine_io.c 2008-01-04 05:03:49.000000000 -0500 +++ modules/ssl.orig/ssl_engine_io.c 2009-05-26 23:30:58.000000000 -0400 @@ -1129,6 +1129,9 @@ "configuration"); ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); } + else if (ssl_verify_error_is_optional(verify_result) && + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) { + } else { const char *error = sslconn->verify_error ? sslconn->verify_error : @@ -1158,7 +1161,8 @@ * Make really sure that when a peer certificate * is required we really got one... (be paranoid) */ - if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) && + if (((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) || + (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) && !sslconn->client_cert) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, --- modules/ssl.orig/ssl_engine_kernel.c 2006-07-11 23:38:44.000000000 -0400 +++ modules/ssl.orig/ssl_engine_kernel.c 2009-05-26 23:20:35.000000000 -0400 @@ -388,7 +388,8 @@ /* configure new state */ verify = SSL_VERIFY_NONE; - if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) { + if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || + (dc->nVerifyClient == SSL_CVERIFY_REQUIRE_NO_CA)) { verify |= SSL_VERIFY_PEER_STRICT; } @@ -667,7 +668,7 @@ * Finally check for acceptable renegotiation results */ if (dc->nVerifyClient != SSL_CVERIFY_NONE) { - BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE); + BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || (dc->nVerifyClient == SSL_CVERIFY_REQUIRE_NO_CA); if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, @@ -1223,7 +1224,8 @@ } if (ssl_verify_error_is_optional(errnum) && - (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) + ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) || + (verify == SSL_CVERIFY_REQUIRE_NO_CA))) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Certificate Verification: Verifiable Issuer is " @@ -1237,7 +1239,7 @@ /* * Additionally perform CRL-based revocation checks */ - if (ok) { + if (ok && (verify != SSL_CVERIFY_REQUIRE_NO_CA)) { if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) { errnum = X509_STORE_CTX_get_error(ctx); } --- modules/ssl.orig/ssl_private.h 2007-11-20 09:16:11.000000000 -0500 +++ modules/ssl.orig/ssl_private.h 2009-05-26 22:00:11.000000000 -0400 @@ -220,7 +220,8 @@ SSL_CVERIFY_NONE = 0, SSL_CVERIFY_OPTIONAL = 1, SSL_CVERIFY_REQUIRE = 2, - SSL_CVERIFY_OPTIONAL_NO_CA = 3 + SSL_CVERIFY_OPTIONAL_NO_CA = 3, + SSL_CVERIFY_REQUIRE_NO_CA = 4 } ssl_verify_t; #define SSL_VERIFY_PEER_STRICT \