[PATCH] Add ssl_client_EKU nginx variable.
mdounin at mdounin.ru
Thu Sep 10 15:48:05 UTC 2015
On Wed, Sep 09, 2015 at 02:46:08AM +0300, Andrey Kulikov wrote:
> Please find attached patch, that add ssl_client_EKU nginx variable.
> Variable contains coma-separated list of OIDs, presented in
> client's certificate (if any). If EKU extension is absent, empty line will
> be returned.
> Dot-separated form of OID choosen rather than human-readable
> short name, as EKU may contains values OpenSSL not aware of,
> and we receive "UNDEF" only in this case.
> Purpose is to use in LUA scripts, or let backend server know the list of
> EKU's, as it can contains lot more that just 'TLS Client Authentication'.
> (for those who read in Russain:
> http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)
> For example directive
> proxy_set_header X-ClientCert-EKU $ssl_client_EKU;
> will result in following in proxied header:
> X-ClientCert-EKU: 184.108.40.206.220.127.116.11.2,1.2.618.104.22.168.6,1.2.622.214.171.124.1
I can't say I like this. It digs too deep into certificate
internals, and I don't really think this should be availalbe as
nginx variable. Instead, you may consider obtaining the
certificate itself and parsing needed details from it.
More information about the nginx-devel