Hello!

On Wed, Apr 03, 2013 at 09:30:40AM -0400, Sekhar wrote:

> Hi Maxim,
>
> Thanks for replying to the post. Below is my concern.
>
> Multiple certificate can have the same DN and the DN name match will happen
> after the SSL handshake is complete using the root CA. It means the SSL
> layer is complete and we are doing authorization not authentication.

The CA is supposed to ensure that DN claimed in a certificate is
correct, that's the whole point of PKI.

If you want to do authentication yourself without trusting the
root CA used to issue certificates, you may do so in a similar
manner by checking the whole certificate as available via
$ssl_client_raw_cert variable.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx