[PATCH] Add ssl_client_EKU nginx variable.

Maxim Dounin mdounin at mdounin.ru
Thu Sep 10 15:48:05 UTC 2015


On Wed, Sep 09, 2015 at 02:46:08AM +0300, Andrey Kulikov wrote:

> Hello,
> Please find attached patch, that add ssl_client_EKU nginx variable.
> Variable contains coma-separated list of OIDs, presented in
> client's certificate (if any). If EKU extension is absent, empty line will
> be returned.
> Dot-separated form of OID choosen rather than human-readable
> short name, as EKU may contains values OpenSSL not aware of,
> and we receive "UNDEF" only in this case.
> Purpose is to use in LUA scripts, or let backend server know the list of
> EKU's, as it can contains lot more that just 'TLS Client Authentication'.
> (for those who read in Russain:
> http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)
> For example directive
>         proxy_set_header X-ClientCert-EKU           $ssl_client_EKU;
> will result in following in proxied header:
> X-ClientCert-EKU:,1.2.643.,1.2.643.

I can't say I like this.  It digs too deep into certificate 
internals, and I don't really think this should be availalbe as 
nginx variable.  Instead, you may consider obtaining the 
certificate itself and parsing needed details from it.

Maxim Dounin

More information about the nginx-devel mailing list