Hi,

We are set up a web Service with the Client Certificates as follow:

ssl on;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
ssl_certificate /etc/nginx/vhosts.d/ssl/bundle-cert.crt;
ssl_certificate_key /etc/nginx/vhosts.d/ssl/cert.key;
ssl_stapling on;
ssl_stapling_responder http://ocsp.xxxx.com/;
#ssl_stapling_verify on;
resolver 8.8.8.8;

ssl_verify_client optional;
ssl_verify_depth 3;
ssl_client_certificate /etc/nginx/vhosts.d/ssl/ClientCA.pem;

location / {
try_files $uri $uri /index.php;
}

location ~* \.php$ {
fastcgi_pass cifcgi;
include fastcgi_ssl.conf;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /home/path/to/public_html/$fastcgi_script_name;
fastcgi_param PLATFORM preview;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
}
}

NGINX
nginx version: nginx/1.4.4
built by gcc 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux)
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --with-http_ssl_module --error-log-path=/var/log/error.log --http-log-path=/var/log/nginx/access.log --user=nginx --group=www --with-pcre=/root/Download/pcre-8.34 --add-module=/root/Download/ngx_http_redis-0.3.7 --with-debug

OpenSSL 1.0.1e 11 Feb 2013

RESULTS:
Authentication works, Client Cert is accepted if valid.

PROBLEM:
Certificate Chain is not visible on the client side.

We are trying to achieve the same the Apache directive SSLOptions +ExportCertData does. The full Certificate Chain is available in SSL_CLIENT_CERT.

Any help will be much appreciated

Never mind, RTFM:

"It supports checking client certificates with two limitations:

it's not possible to assign a Certificate Revocation List for Nginx versions below 0.8.7.
if you have a chain of certificates — by having intermediate certificates between the server certificate and the CA root certificate — they're not specified separately like you would do for Apache. Instead you'll need to concatenate all the certificates, starting with the server certificate, and going deeper in the chain running through all the intermediate certificates. This can be done with "cat chain.crt >> mysite.com.crt" on the command line. Once this is done there's no further use for all the intermediate certificates in what Nginx is concerned. You'll indicate in the Nginx configuration the file with all the (concatenated) certificates."