Add new, corporate friendly, SSL client certificate variables.
Maxim Dounin
mdounin at mdounin.ru
Mon Feb 20 13:20:27 UTC 2017
Hello!
On Mon, Feb 20, 2017 at 10:20:07AM +0000, Dave Bevan wrote:
> # HG changeset patch
> # User Dave Bevan <dave.bevan at bbc.co.uk>
> # Date 1487584846 0
> # Mon Feb 20 10:00:46 2017 +0000
> # Node ID 06bd70321e25e01574e406095ff5f21f56b571da
> # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
> Add new, corporate friendly, SSL client certificate variables.
>
> Introduce three new SSL variables:
>
> * ssl_client_ms_upn (extracts Microsoft UserPrincipleName from client cert)
> * ssl_client_email (extracts email from client cert)
Implementations of these doesn't seem to take into account that
there may be more than one such name in a certificate.
> * ssl_client_s_cn (extracts Subject Common Name from client cert)
There is $ssl_client_s_dn variable which contains CN. If for some
reason only the CN is needed, it can be extracted using map{}, see
https://trac.nginx.org/nginx/ticket/1091. And it may be a better
solution to use the DN instead.
> These are particularly useful in corporate environments, and bring some parity
> with Apache facilities (particularly ms_upn extract).
I can't say this explains how these are "useful in corporate
environments". In particular, we've never seen any user requests
about client certficate alternative names, neither email nor
Microsoft-specific ones.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list