Client certificates and check for DN?

rainer at ultra-secure.de rainer at ultra-secure.de
Wed Feb 28 16:04:06 UTC 2018


Am 2018-02-28 16:41, schrieb Igor A. Ippolitov:
> Hello.
> 
> I'm not sure about what do you really need, but it looks like you can
> get almost the same result using a combination of map{} blocks and
> conditionals.
> 
> Something like this:
> 
> map $ssl_client_s_dn $ou_matched {
>     ~OU=whatever 1;
>     default 0;
> }
> map $ssl_client_s_dn $cn_matched {
>     ~CN=whatever 1;
>     default 0;
> }
> map $ou_verified$cn_verified $unauthed {
>     ~0 1
>     default 0;
> }
> server {
>     ....
>     ssl_trusted_certificate path/to/public/certs;
>     ssl_verify_client on;
>     if ($unauthed) {return 403;}
> }


OK, thanks a lot.


I'll look into it.

Currently, the exact details are still a bit murky.
Customer was very vague...
I'll know more Friday next week.



Regards,
Rainer


More information about the nginx mailing list