SSL client verification context
Matthias-Christian Ott
ott at mirix.org
Thu Feb 10 19:03:41 MSK 2011
On Thu, Feb 10, 2011 at 06:56:50PM +0300, Igor Sysoev wrote:
> On Thu, Feb 10, 2011 at 04:36:03PM +0100, Matthias-Christian Ott wrote:
> > On Thu, Feb 10, 2011 at 06:24:31PM +0300, Igor Sysoev wrote:
> > > On Feb 10, 2011, at 18:04 , Matthias-Christian Ott wrote:
> > > >
> > > > What I mean was the following
> > > >
> > > > server {
> > > > location /a {
> > > > ssl_client_certificate a/ca.pem;
> > > > ssl_crl a/a.crl;
> > > > }
> > > >
> > > > location /b {
> > > > ssl_client_certificate b/ca.pem;
> > > > ssl_crl a/a.crl;
> > > > }
> > > > }
> > > >
> > > > As far as I can tell from the documentation, both Apache and lighttpd
> > > > seems to support this.
> > >
> > > It requires SSL re-handshake and nginx currently does not support it.
> >
> > I'm not familiar with SSL, but from what I read in overviews, the client
> > presents the client certificate to the server, so the server could check
> > the certificate against multiple CAs without a re-handshake, right?
>
> A client can present a certificate only at SSL handshake phase.
> If on the first handshake the server did not ask the certificate,
> it must do re-handshake.
Can't the client itself present to the server, so that the server
doesn't have to ask?
Regards,
Matthias-Christian
More information about the nginx-devel
mailing list