I am trying to tryin to use the directive ssl_crl conditionally. I want to use the ssl_crl only for specific client CA. For other CAs, I do not want to use the CRL.
One approach I tried was to set nginx variable using client issuer and use the variable with ssl_crl.
So I added this to the http block
map $ssl_client_i_dn $ssl_crl_value {
default off;
"specific CA" "specific_ca_crl.pem";
};
And then following in the server block.
ssl_crl $ssl_crl_value;
With that, NGINX assumes $ssl_crl_value is a filename and tries to open /etc/nginx/$ssl_crl_value without variable expansion (/etc/nginx/specific_ca_crl.pem).
In the NGINX documentation, there is no explicit mention of whether ssl_crl supports variable or not (There is a special note for ssl_certificate). Does that mean ssl_crl does not support variables? Is there any other way to implement conditional behavior for ssl_crl?