DOC: ssl: add 'ca-ignore-err' and 'crt-ignore-err' statements on 'bind'
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 48a6b98..9cc77d0 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -6747,6 +6747,12 @@
designates a PEM file from which to load CA certificates used to verify
client's certificate.
+ca-ignore-err [all|<errorID>,...]
+ This setting is only available when support for OpenSSL was built in.
+ Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
+ If set to 'all', all errors are ignored. SSL handshake is not aborted if an
+ error is ignored.
+
ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the string describing the list of cipher algorithms ("cipher suite") that are
@@ -6778,6 +6784,12 @@
a directory, it is highly recommended to load the default one first as a file.
Note that the same cert may be loaded multiple times without side effects.
+crt-ignore-err <errors>
+ This setting is only available when support for OpenSSL was built in.
+ Sets a comma separated list of errorIDs to ignore during verify at depth == 0.
+ If set to 'all', all errors are ignored. SSL handshake is not abored if an
+ error is ignored.
+
defer-accept
Is an optional keyword which is supported only on certain Linux kernels. It
states that a connection will only be accepted once some data arrive on it,
@@ -6937,7 +6949,8 @@
handshake is aborted, while it would have succeeded if set to 'optional'. The
certificate provided by the client is always verified using CAs from 'cafile'
and optional CRLs from 'crlfile'. On verify failure the handshake is aborted,
- regardless of the 'verify' option.
+ regardless of the 'verify' option, unless the error code exactly matches one
+ of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
5.2. Server and default-server options
------------------------------------