Hi,
For Puppet[1] Nginx deployement (that is using Nginx as a front-end
load-balancers to puppetmasters[2]), I had to create the following two
patches, to match Apache behaviour:
* The first patch allows:
+ a new variant of ssl_client_verify: optional. In this mode, if the
client sends a certificate it is verified, but if the client doesn't
send a certificate, the connection is authorized too.
+ a new variable: $ssl_client_verify which contains, either NONE,
SUCCESS or FAILURE depending on the verification status. It can be used
to send information to the upstream about the client verification.
* The second patch adds CRL support to the client certificate
verification:
ssl_crl /path/to/crl.pem;
Nginx then verifies the client certificate hasn't been revoked in the
given CRL before allowing the connection to proceed.
For access to the patches, please see my last blog article:
http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
It would be great if those patches could be merged in the official Nginx
source tree.
Thanks,
[1]: http://reductivelabs.com/products/puppet/
[2]: http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
--
Brice Figureau
My Blog: http://www.masterzen.fr/
