Hello,

Please find attached patch, that add ssl_client_EKU nginx variable.

Variable contains coma-separated list of OIDs, presented in
client's certificate (if any). If EKU extension is absent, empty line will
be returned.
Dot-separated form of OID choosen rather than human-readable
short name, as EKU may contains values OpenSSL not aware of,
and we receive "UNDEF" only in this case.
Purpose is to use in LUA scripts, or let backend server know the list of
EKU's, as it can contains lot more that just 'TLS Client Authentication'.
(for those who read in Russain:
http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)

For example directive
proxy_set_header X-ClientCert-EKU $ssl_client_EKU;
will result in following in proxied header:
X-ClientCert-EKU: 1.3.6.1.5.5.7.3.2,1.2.643.3.34.2.6,1.2.643.3.34.2.1

Tested on 1.8.0, 1.9.4

Best wishes,
Andrey
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel