ssl_verify_client with http

Igor Sysoev is at
Thu Jul 12 00:51:56 MSD 2007

On Wed, Jul 11, 2007 at 09:01:02PM +0200, Paul Dekkers wrote:

> But then there's one more thing: how can I limit the client-certificates
> that are accepted? In stunnel I arranged this by putting the
> certificates in a directory as CA certs, like:
>  CAfile = /usr/local/etc/stunnel/chroot/ssl.crt/ca.crt
>  CApath = /usr/local/etc/stunnel/chroot/trusted.current/
> along with a validation depth of 3... I tried a similar thing (put the
> client certificate in the ca.crt file) but apparently that doesn't work.
> (In apache I used the SSLRequire field instead, with a long equation
> containing SSL_CLIENT_S_DN_OU and SSL_CLIENT_M_SERIAL and so forth...
> Not very scalable, but that worked too.)

> As an alternative, I tried playing with an if statement and
> ssl_client_serial, but it seems inefficient (or more complex) to verify
> multiple serial numbers here, and proxypass is apparently not allowed in

map  $ssl_client_serial  $bad  {
     default              1;

     1000                 0;
     1004                 0;
     1005                 0;

server {
     if ($bad) {
         return 403;

> an if statement... so I couldn't get this working anyway. (There is no
> variable to verify the certificate DN, is there?)


Igor Sysoev

More information about the nginx mailing list