New SSL features for Nginx.

Brice Figureau brice+nginx at daysofwonder.com
Wed Jul 22 21:15:54 MSD 2009


On 22/07/09 16:52, Igor Sysoev wrote:
> On Wed, Jul 22, 2009 at 12:21:23PM +0200, Brice Figureau wrote:
> 
>> Hi Igor,
>>
>> On Wed, 2009-07-22 at 12:44 +0400, Igor Sysoev wrote:
>>> On Tue, Jul 21, 2009 at 08:02:05PM +0200, Brice Figureau wrote:
>>>
>>>> Hi,
>>>>
>>>> For Puppet[1] Nginx deployement (that is using Nginx as a front-end 
>>>> load-balancers to puppetmasters[2]), I had to create the following two 
>>>> patches, to match Apache behaviour:
>>>>
>>>>  * The first patch allows:
>>>>   + a new variant of ssl_client_verify: optional. In this mode, if the 
>>>> client sends a certificate it is verified, but if the client doesn't 
>>>> send a certificate, the connection is authorized too.
>>>>
>>>>   + a new variable: $ssl_client_verify which contains, either NONE, 
>>>> SUCCESS or FAILURE depending on the verification status. It can be used 
>>>> to send information to the upstream about the client verification.
>>>>
>>>>  * The second patch adds CRL support to the client certificate 
>>>> verification:
>>>>
>>>>   ssl_crl /path/to/crl.pem;
>>>>
>>>>  Nginx then verifies the client certificate hasn't been revoked in the 
>>>> given CRL before allowing the connection to proceed.
>>>>
>>>> For access to the patches, please see my last blog article:
>>>> http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
>>>>
>>>> It would be great if those patches could be merged in the official Nginx 
>>>> source tree.
> 
>> Thanks for reviewing the patch (at least the first one could be merged,
>> isn't it?).
> 
> Could you test the attached slightly changed first patch ?

It works fine, and passes all my tests.

Thanks,
--
Brice Figureau
My Blog: http://www.masterzen.fr/





More information about the nginx mailing list