On Feb 10, 2011, at 19:03 , Matthias-Christian Ott wrote:

> On Thu, Feb 10, 2011 at 06:56:50PM +0300, Igor Sysoev wrote:
>> On Thu, Feb 10, 2011 at 04:36:03PM +0100, Matthias-Christian Ott wrote:
>>> On Thu, Feb 10, 2011 at 06:24:31PM +0300, Igor Sysoev wrote:
>>>> On Feb 10, 2011, at 18:04 , Matthias-Christian Ott wrote:
>>>>>
>>>>> What I mean was the following
>>>>>
>>>>> server {
>>>>> location /a {
>>>>> ssl_client_certificate a/ca.pem;
>>>>> ssl_crl a/a.crl;
>>>>> }
>>>>>
>>>>> location /b {
>>>>> ssl_client_certificate b/ca.pem;
>>>>> ssl_crl a/a.crl;
>>>>> }
>>>>> }
>>>>>
>>>>> As far as I can tell from the documentation, both Apache and lighttpd
>>>>> seems to support this.
>>>>
>>>> It requires SSL re-handshake and nginx currently does not support it.
>>>
>>> I'm not familiar with SSL, but from what I read in overviews, the client
>>> presents the client certificate to the server, so the server could check
>>> the certificate against multiple CAs without a re-handshake, right?
>>
>> A client can present a certificate only at SSL handshake phase.
>> If on the first handshake the server did not ask the certificate,
>> it must do re-handshake.
>
> Can't the client itself present to the server, so that the server
> doesn't have to ask?

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient

In per-server context it applies to the client authentication process
used in the standard SSL handshake when a connection is established.
In per-directory context it forces a SSL renegotation with the
reconfigured client verification level after the HTTP request was read
but before the HTTP response is sent.


--
Igor Sysoev
http://sysoev.ru/en/


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel