[PATCH] Add ssl_client_EKU nginx variable.
Maxim Dounin
mdounin at mdounin.ru
Thu Sep 10 15:48:05 UTC 2015
Hello!
On Wed, Sep 09, 2015 at 02:46:08AM +0300, Andrey Kulikov wrote:
> Hello,
>
> Please find attached patch, that add ssl_client_EKU nginx variable.
>
> Variable contains coma-separated list of OIDs, presented in
> client's certificate (if any). If EKU extension is absent, empty line will
> be returned.
> Dot-separated form of OID choosen rather than human-readable
> short name, as EKU may contains values OpenSSL not aware of,
> and we receive "UNDEF" only in this case.
> Purpose is to use in LUA scripts, or let backend server know the list of
> EKU's, as it can contains lot more that just 'TLS Client Authentication'.
> (for those who read in Russain:
> http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)
>
> For example directive
> proxy_set_header X-ClientCert-EKU $ssl_client_EKU;
> will result in following in proxied header:
> X-ClientCert-EKU: 1.3.6.1.5.5.7.3.2,1.2.643.3.34.2.6,1.2.643.3.34.2.1
I can't say I like this. It digs too deep into certificate
internals, and I don't really think this should be availalbe as
nginx variable. Instead, you may consider obtaining the
certificate itself and parsing needed details from it.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list