[PATCH] Add ssl_client_EKU nginx variable.

Andrey Kulikov amdeich at gmail.com
Tue Sep 8 23:46:08 UTC 2015


Hello,

Please find attached patch, that add ssl_client_EKU nginx variable.

Variable contains coma-separated list of OIDs, presented in
client's certificate (if any). If EKU extension is absent, empty line will
be returned.
Dot-separated form of OID choosen rather than human-readable
short name, as EKU may contains values OpenSSL not aware of,
and we receive "UNDEF" only in this case.
Purpose is to use in LUA scripts, or let backend server know the list of
EKU's, as it can contains lot more that just 'TLS Client Authentication'.
(for those who read in Russain:
http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)

For example directive
        proxy_set_header X-ClientCert-EKU           $ssl_client_EKU;
will result in following in proxied header:
X-ClientCert-EKU: 1.3.6.1.5.5.7.3.2,1.2.643.3.34.2.6,1.2.643.3.34.2.1

Tested on 1.8.0, 1.9.4

Best wishes,
Andrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150909/96f3e5e6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add_ssl_client_EKU_var.patch
Type: text/x-patch
Size: 4039 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150909/96f3e5e6/attachment.bin>


More information about the nginx-devel mailing list