Need to compare client certificate CN with an entry in /etc/hosts

Jonathan Matthews contact at
Tue Nov 26 23:00:17 UTC 2013

On 26 November 2013 22:48, Radha Venkatesh (radvenka)
<radvenka at> wrote:
> Jonathan,
> The requirement is that we match an existing hostname entry in /etc/hosts with the Client certificate CN (CN has to be the hostname of the client).

That's not really saying anything /new/, is it? ;-)

Here are some examples of different things that your requirement could mean:

1) Do you want to ensure that the CN that is presented merely *exists*
in /etc/hosts?
2) Do you want to ensure that the connection came from an IP that the
CN's entry in /etc/hosts matches?
3) Both of #1 and #2 combined?

Please give some representative examples of CNs being presented,
/etc/hosts contents, and the allow/deny behaviour you want to see
based on those combinations. Your requirement, whilst obvious and
clear to yourself, is not clear to some people (well, me at least!) as
they don't have their head deep inside your project.


More information about the nginx mailing list