How to make log show a successful exchange of digital certificates

Hello,

 I've make nginx support TLS(Mutual Authentication), It's can be 

work
and very cool. but i want have some detail log about exchange of digital
certificates. for example, the log have exchange success and client
digital
certificates information in this exchange action.

 My system like:  Broswer <--TLS--> Nginx 1.0.8 <--HTTP--> Tomcat

 So, what can i do?

 Thanks for your work.

=============== nginx.conf ================
server
{
listen 8889;
server_name 192.168.10.251;
index index.jsp index.html index.htm;
charset utf-8;
log_format tls_log '$remote_addr $remote_user [$time_local]
“$request”
$http_host ’
'$status $upstream_status $body_bytes_sent
“$http_referer”

'“$http_user_agent” $ssl_protocol $ssl_cipher
$upstream_addr ’
‘$request_time $upstream_response_time’;
access_log /usr/local/nginx/logs/http_8889_access.log tls_log;

#TLS start
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_client_certificate ssl/ca.crt ;
ssl_verify_client on;
ssl_protocols  SSLv2 SSLv3 TLSv1;
#TLS end

#chunkin for XTOM
chunkin on;
error_page 411 = @my_411_error;
location @my_411_error {
  chunkin_resume;
}

location ~ /mux-.+ {
  proxy_pass http://192.168.10.123:8080;
  proxy_redirect default;
  proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
  proxy_set_header  X-Real-IP  $remote_addr;
  proxy_set_header  Host $http_host;
}

}

===========

Posted at Nginx Forum:

Hi, i find way to show exchange of digital certificates information.

i’m sorry, I did not read the document

http://wiki.nginx.org/HttpSslModule

========ref=========
Module ngx_http_ssl_module supports the following built-in variables:

$ssl_cipher returns the cipher suite being used for the currently
established SSL/TLS connection
$ssl_client_serial returns the serial number of the client certificate
for
the currently established SSL/TLS connection — if applicable, i.e., if
client authentication is activated in the connection
$ssl_client_s_dn returns the subject Distinguished Name (DN) of the
client
certificate for the currently established SSL/TLS connection — if
applicable, i.e., if client authentication is activated in the
connection
$ssl_client_i_dn returns the issuer DN of the client certificate for the
currently established SSL/TLS connection — if applicable, i.e., if
client
authentication is activated in the connection
$ssl_protocol returns the protocol of the currently established SSL/TLS
connection — depending on the configuration and client available options
it’s one of SSLv2, SSLv3 or TLSv1
$ssl_session_id the Session ID of the established secure connection —
requires Nginx version greater or equal to 0.8.20
$ssl_client_cert
$ssl_client_raw_cert
$ssl_client_verify takes the value “SUCCESS” when the client certificate
is
successfully verified

Posted at Nginx Forum:

My log format

log_format tls_log '$remote_addr $remote_user [$time_local] “$request”
$http_host ’
'$status $upstream_status $body_bytes_sent
“$http_referer”

'“$http_user_agent” $upstream_addr
[$request_time/$upstream_response_time] ’
‘[SSL]: $ssl_protocol $ssl_cipher
SSL_CLIENT{Verify:$ssl_client_verify, Serial:$ssl_client_serial,
SDN:$ssl_client_s_dn, IDN:$ssl_client_i_dn}’;

and, thank your work.
nginx is very cool.

Posted at Nginx Forum: