New SSL features for Nginx.

Brice Figureau brice+nginx at
Tue Jul 21 22:02:05 MSD 2009


For Puppet[1] Nginx deployement (that is using Nginx as a front-end 
load-balancers to puppetmasters[2]), I had to create the following two 
patches, to match Apache behaviour:

  * The first patch allows:
   + a new variant of ssl_client_verify: optional. In this mode, if the 
client sends a certificate it is verified, but if the client doesn't 
send a certificate, the connection is authorized too.

   + a new variable: $ssl_client_verify which contains, either NONE, 
SUCCESS or FAILURE depending on the verification status. It can be used 
to send information to the upstream about the client verification.

  * The second patch adds CRL support to the client certificate 

   ssl_crl /path/to/crl.pem;

  Nginx then verifies the client certificate hasn't been revoked in the 
given CRL before allowing the connection to proceed.

For access to the patches, please see my last blog article:

It would be great if those patches could be merged in the official Nginx 
source tree.


Brice Figureau
My Blog:

More information about the nginx mailing list