[PATCH] Add ssl_client_not_before and ssl_client_not_after request

Kaj Niemi kajtzu at a51.org
Mon Sep 7 17:42:42 UTC 2015

Wouldn't it be easier to parse and compare if the not before/after values were written as a UNIX timestamp instead of in human readable format? Just a thought :)


Sent from my iPad

From: Andrey Kulikov <amdeich at gmail.com<mailto:amdeich at gmail.com>>
Sent: Monday, September 7, 2015 8:18 PM
Subject: [PATCH] Add ssl_client_not_before and ssl_client_not_after request
To: <nginx-devel at nginx.org<mailto:nginx-devel at nginx.org>>


Nginx SSL module allow to use some variables: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
But sometimes tey are not enough.

Please find attached patch, adding two more:
$ssl_client_not_before - Validity date from client certificate 'Not Before'
$ssl_client_not_after   -  Validity date from client certificate 'Not After'

After applying changes you may use them in configuration along with other variables:

    location /test_headers/ {
        proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial;
        proxy_set_header X-ClientCert-NotBefore     $ssl_client_not_before;
        proxy_set_header X-ClientCert-NotAfter      $ssl_client_not_after;

And it will appears in (in this case) in proxied content in the following form:

X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F
X-ClientCert-NotBefore: Jul  9 22:20:31 2015 GMT
X-ClientCert-NotAfter: Oct  9 22:30:31 2015 GMT

Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4.

Feel free to ask any questions regarding this matter.

Best wishes,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150907/9f713279/attachment.html>

More information about the nginx-devel mailing list