Wouldn't it be easier to parse and compare if the not before/after values were written as a UNIX timestamp instead of in human readable format? Just a thought :)
Kaj Sent from my iPad _____________________________ From: Andrey Kulikov <amde...@gmail.com<mailto:amde...@gmail.com>> Sent: Monday, September 7, 2015 8:18 PM Subject: [PATCH] Add ssl_client_not_before and ssl_client_not_after request To: <nginx-devel@nginx.org<mailto:nginx-devel@nginx.org>> Hello, Nginx SSL module allow to use some variables: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables But sometimes tey are not enough. Please find attached patch, adding two more: $ssl_client_not_before - Validity date from client certificate 'Not Before' $ssl_client_not_after - Validity date from client certificate 'Not After' After applying changes you may use them in configuration along with other variables: location /test_headers/ { proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial; proxy_set_header X-ClientCert-NotBefore $ssl_client_not_before; proxy_set_header X-ClientCert-NotAfter $ssl_client_not_after; proxy_pass http://192.168.88.156/; } And it will appears in (in this case) in proxied content in the following form: X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F X-ClientCert-NotBefore: Jul 9 22:20:31 2015 GMT X-ClientCert-NotAfter: Oct 9 22:30:31 2015 GMT Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4. Feel free to ask any questions regarding this matter. Best wishes, Andrey
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
