<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">It seems the variable you are refering to belongs to the ngx_http_ssl_module, suitable for HTTPS, not in the ngx_stream_ssl_module, suitable for generic TLS.<br></div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Fri, Sep 16, 2016 at 5:19 AM, Albert Zhang <span dir="ltr"><<a href="mailto:albert@plumewifi.com" target="_blank">albert@plumewifi.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">how to get common name from client cert in TLS connection instead of HTTPS. I am using TLS not https and want to get common name from client cert using nginx plus ami on was,<br>
I am using AWS elb(ssl)+nginx client certificate ssl I know use $ssl_client_s_dn but how to get/compare the value here is my config:<br>
stream {<br>
    upstream stream_backend {<br>
         server <a href="http://10.252.1.131:1983" rel="noreferrer" target="_blank">10.252.1.131:1983</a>;<br>
         server <a href="http://10.252.1.131:2983" rel="noreferrer" target="_blank">10.252.1.131:2983</a>;<br>
    }<br>
    server {<br>
        listen                4443 ssl;<br>
        proxy_pass            stream_backend;<br>
 proxy_ssl on;<br>
    proxy_ssl_certificate         /etc/ssl/certs/server.crt;<br>
        proxy_ssl_certificate_key     /etc/ssl/certs/server.key;<br>
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;<br>
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;<br>
#  proxy_ssl_client_certificate /etc/ssl/certs/ca.pem;<br>
proxy_ssl_trusted_certificate /etc/ssl/certs/ca.pem;<br>
#proxy_ssl_session_reuse on;<br>
    proxy_ssl_verify       on;<br>
    proxy_ssl_verify_depth 4;<br>
#    proxy_ssl_verify_client optional;<br>
        ssl_certificate       /etc/ssl/certs/server.crt;<br>
        ssl_certificate_key   /etc/ssl/certs/server.key;<br>
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;<br>
        ssl_ciphers           HIGH:!aNULL:!MD5;<br>
        ssl_session_cache     shared:SSL:20m;<br>
        ssl_session_timeout   4h;<br>
        ssl_handshake_timeout 30s;<br>
     }<br>
<br>
}<br>
<br>
albert<br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</blockquote></div><br></div></div>