Hello! On Mon, Feb 20, 2017 at 10:20:07AM +0000, Dave Bevan wrote:
> # HG changeset patch > # User Dave Bevan <[email protected]> > # Date 1487584846 0 > # Mon Feb 20 10:00:46 2017 +0000 > # Node ID 06bd70321e25e01574e406095ff5f21f56b571da > # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c > Add new, corporate friendly, SSL client certificate variables. > > Introduce three new SSL variables: > > * ssl_client_ms_upn (extracts Microsoft UserPrincipleName from client cert) > * ssl_client_email (extracts email from client cert) Implementations of these doesn't seem to take into account that there may be more than one such name in a certificate. > * ssl_client_s_cn (extracts Subject Common Name from client cert) There is $ssl_client_s_dn variable which contains CN. If for some reason only the CN is needed, it can be extracted using map{}, see https://trac.nginx.org/nginx/ticket/1091. And it may be a better solution to use the DN instead. > These are particularly useful in corporate environments, and bring some parity > with Apache facilities (particularly ms_upn extract). I can't say this explains how these are "useful in corporate environments". In particular, we've never seen any user requests about client certficate alternative names, neither email nor Microsoft-specific ones. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
