<div dir="ltr"><div><div><div>Hello,<br><br></div>I forward Filipe's message, because it doesn't appear in forum's stack.<br></div><div>I'm ok with the proposal.<br></div><br>Kind Regards.<br></div>Franck Levionnois.<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-07 10:35 GMT+02:00 Filipe Da Silva <span dir="ltr"><<a href="mailto:fdasilvayy@gmail.com" target="_blank">fdasilvayy@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
>From the mail-auth-http module point of view, the Auth-Verify is a<br>
trivial information.<br>
Its value mostly depends of the current server configuration ( verify setting ).<br>
IMHO, it could be discard.<br>
<br>
About the various/duplicated headers related to the client<br>
certificate, a smart solution<br>
could be adding a 'auth_http_client_cert' setting.<br>
<br>
It could be either a kind of bit-field allowing to select the wanted<br>
headers one by one or a log level.<br>
<br>
Bit-field doesn't seems to be a part of nginx configuration usages.<br>
Instead, a short list of keywords could be defined, may be following<br>
the OpenSSL display one:<br>
<a href="http://www.openssl.org/docs/apps/x509.html#DISPLAY_OPTIONS" target="_blank">http://www.openssl.org/docs/apps/x509.html#DISPLAY_OPTIONS</a><br>
<br>
Or, the auth_http_client_cert log levels could be :<br>
- none<br>
- basic -> just the Certificate Subject<br>
- detailed : Subject, Issuer<br>
- complete : Subject, Issuer, sha1 hash<br>
- full -> whole certificate<br>
IMHO, 'detailled' should be the default settings, if not configured.<br>
<br>
Regards,<br>
Filipe da Silva<br>
<br>
2014-03-18 18:40 GMT+01:00 Franck Levionnois <<a href="mailto:flevionnois@gmail.com">flevionnois@gmail.com</a>>:<br>
<div class="HOEnZb"><div class="h5">> Hello,<br>
><br>
> It doesn't seem to exist a standard for this header name. Apache and F5 let<br>
> the user choose it, but this make the configuration more complicated. I<br>
> don't think that the name is a problem, because it can be set on the<br>
> authorization server.<br>
><br>
> If the certificate is transmited, all other informations are duplicated<br>
> (except Auth-Verify). Forwarding the certificate is the most usefull,<br>
> because it can be used to make controls on its properties.<br>
><br>
> Kind regards,<br>
> Franck Levionnois.<br>
><br>
><br>
><br>
> 2014-03-07 12:31 GMT+01:00 Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>>:<br>
><br>
>> Hello!<br>
>><br>
>> On Fri, Mar 07, 2014 at 09:40:11AM +0100, Franck Levionnois wrote:<br>
>><br>
>> > Hello,<br>
>> > I haven't seen any comment on this patch. Is it ok for you ?<br>
>><br>
>> Sorry, I haven't yet had a time to look into it in detail.<br>
>><br>
>> Most problematic part is still auth_http protocol changes - in<br>
>> particular, headers send and names used for them. I tend to think<br>
>> there should be better names, and probably we can safely omit some<br>
>> information as duplicate/unneeded.<br>
>><br>
>> --<br>
>> Maxim Dounin<br>
>> <a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
>><br>
>> _______________________________________________<br>
>> nginx-devel mailing list<br>
>> <a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
>> <a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
><br>
><br>
</div></div></blockquote></div><br></div></div>