ssl_verify_client with http
Igor Sysoev
is at rambler-co.ru
Thu Jul 12 00:51:56 MSD 2007
On Wed, Jul 11, 2007 at 09:01:02PM +0200, Paul Dekkers wrote:
> But then there's one more thing: how can I limit the client-certificates
> that are accepted? In stunnel I arranged this by putting the
> certificates in a directory as CA certs, like:
> CAfile = /usr/local/etc/stunnel/chroot/ssl.crt/ca.crt
> CApath = /usr/local/etc/stunnel/chroot/trusted.current/
> along with a validation depth of 3... I tried a similar thing (put the
> client certificate in the ca.crt file) but apparently that doesn't work.
> (In apache I used the SSLRequire field instead, with a long equation
> containing SSL_CLIENT_S_DN_OU and SSL_CLIENT_M_SERIAL and so forth...
> Not very scalable, but that worked too.)
> As an alternative, I tried playing with an if statement and
> ssl_client_serial, but it seems inefficient (or more complex) to verify
> multiple serial numbers here, and proxypass is apparently not allowed in
map $ssl_client_serial $bad {
default 1;
1000 0;
1004 0;
1005 0;
...
}
server {
if ($bad) {
return 403;
}
> an if statement... so I couldn't get this working anyway. (There is no
> variable to verify the certificate DN, is there?)
$ssl_client_s_dn
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list