SSL client verification context
Igor Sysoev
igor at sysoev.ru
Thu Feb 10 18:56:50 MSK 2011
On Thu, Feb 10, 2011 at 04:36:03PM +0100, Matthias-Christian Ott wrote:
> On Thu, Feb 10, 2011 at 06:24:31PM +0300, Igor Sysoev wrote:
> > On Feb 10, 2011, at 18:04 , Matthias-Christian Ott wrote:
> > >
> > > What I mean was the following
> > >
> > > server {
> > > location /a {
> > > ssl_client_certificate a/ca.pem;
> > > ssl_crl a/a.crl;
> > > }
> > >
> > > location /b {
> > > ssl_client_certificate b/ca.pem;
> > > ssl_crl a/a.crl;
> > > }
> > > }
> > >
> > > As far as I can tell from the documentation, both Apache and lighttpd
> > > seems to support this.
> >
> > It requires SSL re-handshake and nginx currently does not support it.
>
> I'm not familiar with SSL, but from what I read in overviews, the client
> presents the client certificate to the server, so the server could check
> the certificate against multiple CAs without a re-handshake, right?
A client can present a certificate only at SSL handshake phase.
If on the first handshake the server did not ask the certificate,
it must do re-handshake.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx-devel
mailing list