Fix ssl verify client compat (#1647)

ltning · Eirik Øverby · web-flow · commit dfdcdf39a3fb · 2025-06-23T18:00:52.000-07:00
* Allow ssl_verify_client when only ssl_trusted_cert is set Fixes #1644 * Fix ssl_verify_client, add version check to remain backward compatible Previous version of patch had a logic error; fixed this. Also made sure we're on an nginx version that supports optional ssl_client_certificate. * Make `ssl_verify_client` optinal, retain old behaviour when `ssl_client_certificate` is defined. --------- Co-authored-by: Eirik Øverby <ltning@anduin.net>
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -3747,11 +3747,11 @@ Default value: `undef`
 
 ##### <a name="-nginx--resource--server--ssl_verify_client"></a>`ssl_verify_client`
 
-Data type: `String`
+Data type: `Optional[String]`
 
 Enables verification of client certificates.
 
-Default value: `'on'`
+Default value: `undef`
 
 ##### <a name="-nginx--resource--server--ssl_crl"></a>`ssl_crl`
 
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
@@ -305,7 +305,7 @@
   Boolean $ssl_listen_option                                                     = true,
   Optional[Variant[String, Boolean, Array[String]]] $ssl_cert                    = undef,
   Optional[String] $ssl_client_cert                                              = undef,
-  String $ssl_verify_client                                                      = 'on',
+  Optional[String] $ssl_verify_client                                            = undef,
   Optional[String] $ssl_dhparam                                                  = undef,
   Optional[String] $ssl_ecdh_curve                                               = undef,
   Boolean $ssl_redirect                                                          = false,
diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
@@ -20,6 +20,8 @@
 <%   end -%>
 <%   if ( defined? @ssl_verify_client ) && ( @ssl_client_cert.is_a?(String) || @ssl_trusted_cert.is_a?(String) ) -%>
   ssl_verify_client         <%= @ssl_verify_client %>;
+<%   elsif ( not defined? @ssl_verify_client ) && ( @ssl_client_cert.is_a?(String) ) -%>
+  ssl_verify_client         on;
 <%   end -%>
 <% else -%>
 <%   if defined? @ssl_client_cert -%>
