New SSL features for Nginx.
Igor Sysoev
is at rambler-co.ru
Wed Jul 22 22:38:59 MSD 2009
On Wed, Jul 22, 2009 at 07:15:54PM +0200, Brice Figureau wrote:
> On 22/07/09 16:52, Igor Sysoev wrote:
> >On Wed, Jul 22, 2009 at 12:21:23PM +0200, Brice Figureau wrote:
> >
> >>Hi Igor,
> >>
> >>On Wed, 2009-07-22 at 12:44 +0400, Igor Sysoev wrote:
> >>>On Tue, Jul 21, 2009 at 08:02:05PM +0200, Brice Figureau wrote:
> >>>
> >>>>Hi,
> >>>>
> >>>>For Puppet[1] Nginx deployement (that is using Nginx as a front-end
> >>>>load-balancers to puppetmasters[2]), I had to create the following two
> >>>>patches, to match Apache behaviour:
> >>>>
> >>>> * The first patch allows:
> >>>> + a new variant of ssl_client_verify: optional. In this mode, if the
> >>>>client sends a certificate it is verified, but if the client doesn't
> >>>>send a certificate, the connection is authorized too.
> >>>>
> >>>> + a new variable: $ssl_client_verify which contains, either NONE,
> >>>>SUCCESS or FAILURE depending on the verification status. It can be used
> >>>>to send information to the upstream about the client verification.
> >>>>
> >>>> * The second patch adds CRL support to the client certificate
> >>>>verification:
> >>>>
> >>>> ssl_crl /path/to/crl.pem;
> >>>>
> >>>> Nginx then verifies the client certificate hasn't been revoked in the
> >>>>given CRL before allowing the connection to proceed.
> >>>>
> >>>>For access to the patches, please see my last blog article:
> >>>>http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
> >>>>
> >>>>It would be great if those patches could be merged in the official
> >>>>Nginx source tree.
> >
> >>Thanks for reviewing the patch (at least the first one could be merged,
> >>isn't it?).
> >
> >Could you test the attached slightly changed first patch ?
>
> It works fine, and passes all my tests.
OK.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list