Need to compare client certificate CN with an entry in /etc/hosts

Francis Daly francis at daoine.org
Tue Nov 26 23:15:37 UTC 2013


On Tue, Nov 26, 2013 at 07:19:55PM +0000, Radha Venkatesh (radvenka) wrote:

Hi there,

> An additional requirement is that we have to match the client certificate
> CN with an existing entry in /etc/hosts. What would be the simplest
> mechanism to do this? HttpPerlModule? Uwsgi?

In nginx terms, you have $remote_addr as the client IP address, and you
have the variables described in

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

as "things from the certificate".

I don't see CN listed there, so I suspect that whatever you do is going
to involve some extra parsing of the certificate, which probably means
something external or dynamic within nginx.conf.

The "simplest" mechanism is probably whichever one you are most familiar
with already.

Whether you use an embedded language or something external, you can make
sure to send the appropriate raw information to it, and let it decide
whether this is good or not.

You may be interested in trying http://nginx.org/r/auth_request as one
possibly way of communicating the success or failure state of your check
back to nginx, but it all depends on the extra code that you must write.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list