Welcome! Log In Create A New Profile

Advanced

Client cert not received with SNI extension on Openssl and ssl_verify_client off

Posted by sujaladi 
Hi,
I have a use case where I want to proxy client certificate to upstream services but do not want to validate cert on Nginx.

I have a single server and the following SSL configuration -
server {
listen 443 ssl;
server_name server.app1;
ssl on;
ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_verify_client off;
}

And my client uses openssl to make a request similar to below-
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443

With this request, I have no issue, I don't validate the request on nginx and receive the cert on upstream service.

But when I add SNI (Server Name Indication) extension to OpenSSL, I don't receive the certificate -
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443 -servername server.app1

Both the above cases had the same SSL configuration ( ssl_verify_client off;). So I'm confused as to why adding SNI should change nginx behavior

A wireshark capture revealed that when SNI is disabled, nginx doesn't make a certificate request to client-
Client-verify off (without servername) : Server Hello, Server Key Exchange, Certificate Request, Server Hello Done
Client-verify off + servername : Server Hello, Certificate, Server Key Exchange, Server Hello Done

Does anyone know why nginx doesn't make a certificate request only with SNI disabled? (I might expect it not to ask for client cert in both the cases but not different behavior in each case)
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 101
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready