Hello! On Wed, Sep 09, 2015 at 02:46:08AM +0300, Andrey Kulikov wrote:
> Hello, > > Please find attached patch, that add ssl_client_EKU nginx variable. > > Variable contains coma-separated list of OIDs, presented in > client's certificate (if any). If EKU extension is absent, empty line will > be returned. > Dot-separated form of OID choosen rather than human-readable > short name, as EKU may contains values OpenSSL not aware of, > and we receive "UNDEF" only in this case. > Purpose is to use in LUA scripts, or let backend server know the list of > EKU's, as it can contains lot more that just 'TLS Client Authentication'. > (for those who read in Russain: > http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example) > > For example directive > proxy_set_header X-ClientCert-EKU $ssl_client_EKU; > will result in following in proxied header: > X-ClientCert-EKU: 1.3.6.1.5.5.7.3.2,1.2.643.3.34.2.6,1.2.643.3.34.2.1 I can't say I like this. It digs too deep into certificate internals, and I don't really think this should be availalbe as nginx variable. Instead, you may consider obtaining the certificate itself and parsing needed details from it. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
