Directive can have multiple meanings. Each variant is separated with horizontal line
[edit] ssl_engine
| Syntax: |
ssl_engine device |
| Default: |
|
| Context: |
main |
| Reference: |
ssl_engine |
Here you can set your preferred openssl engine if any available. You can figure out which one do you have with the commandline tool: openssl engine -t
For example:
$ openssl engine -t
(cryptodev) BSD cryptodev engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
Module: CoreModule
[edit] ssl_engine
syntax: ssl_engine
This allows specifying the OpenSSL engine to use, like PadLock, for example. It requires a recent version of OpenSSL. To verify if the OpenSSL version installed in your platform supports this, issue the command:
openssl engine
On a Debian testing with OpenSSL version 0.9.8o from 01 Jun 2010 it returns:
$ openssl engine
(padlock) VIA PadLock (no-RNG, no-ACE)
(dynamic) Dynamic engine loading support
[edit] Built-in variables
Module ngx_http_ssl_module supports the following built-in variables:
- $ssl_cipher returns the cipher suite being used for the currently established SSL/TLS connection
- $ssl_client_serial returns the serial number of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection
- $ssl_client_s_dn returns the subject Distinguished Name (DN) of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection
- $ssl_client_i_dn returns the issuer DN of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection
- $ssl_protocol returns the protocol of the currently established SSL/TLS connection — depending on the configuration and client available options it's one of SSLv2, SSLv3 or TLSv1
- $ssl_session_id the Session ID of the established secure connection — requires Nginx version greater or equal to 0.8.20
- $ssl_client_cert
- $ssl_client_raw_cert
- $ssl_client_verify takes the value "SUCCESS" when the client certificate is successfully verified
[edit] Nonstandard error codes
This module supports several nonstandard error codes which can be used for debugging with the aid of directive error_page:
- 495 - error checking client certificate
- 496 - client did not grant the required certificate
- 497 - normal request was sent to HTTPS
Debugging is done after the request is completely "disassembled" and it's components are accessible via variables such as $request_uri, $uri, $arg and more.
[edit] References
Module: HttpSslModule