Certificates are selected and presented by the server before the client even has the chance to send any cookies, the latter happening after the »TLS handshake«.
2014/1/9 Larry <[email protected]>: > Hello, > > Here is my current conf > > server { > listen 443; > > server_name ~^(.*)\.sub\.domain\.com$ > > ssl on; > ssl_certificate $cookie_ident/$1.crt; > ssl_certificate_key $cookie_ident/$1.key; > server_tokens off; > > ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3; > ssl_prefer_server_ciphers on; > ssl_session_timeout 5m; > ssl_session_cache builtin:1000 shared:SSL:10m; > > ssl_ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA; > > > autoindex off; > root /upla/http/www.domain.com; > port_in_redirect off; > expires 10s; > #add_header Cache-Control "no-cache,no-store"; > #expires max; > add_header Pragma public; > add_header Cache-Control "public"; > > location / { > > try_files $uri /$request_uri =404; > > } > > } > > I would like to be able to "load" the right cert according to the cookie set > and request uri. > > A sort of dynamic setting. > > But of course, when I start nginx, it complains : > SSL: error:02001002:system library:fopen:No such file or directory: > > Perfectly normal since $cookie_ident is empty and no subdomain has been > requested. > > So, what is the workaround I could use to avoid creating one file per new > (self-signed)certificate issued ? > > I cannot use only one certificate for all since I have to be able to revoke > the certs with granularity. > > > How should I make it work ? > > Thanks > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,246178,246178#msg-246178 > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
