Welcome! Log In Create A New Profile

Advanced

Does ssl_trusted_certificate actually send certs to client?

Previous Message Next Message
Forum List Message List New Topic Print View
Julian Simioni
February 12, 2015 05:04AM
Hi all,
I have an Nginx 1.7.6 server serving HTTPS content, and I've been
tweaking the configuration lately to ensure it is secure and
performant[1].

One component of this is ensuring that the intermediate certificate from
my CA is sent along to any clients connecting to my server, to ensure
they don't have to fetch it from somewhere else and risk at best a
longer connection time, and at worst some sort of (unlikely) tampering.

The traditional way to do this, as far as I'm aware, is to concatenate
any intermediate certs, as well as the actual certificate for your
domain, into one file, and then tell Nginx about it using the
ssl_client_certificate directive. This works great, but I wanted to see
if there was a way to keep the different certificates in different
files, just for clarity and ease of maintenance. I put the intermediate
cert in another file and told Nginx about it with the
ssl_trusted_certificate directive, and everything worked great!

However, the docs[2] for ssl_trusted_certificate specifically state the
following:

In contrast to the certificate set by ssl_client_certificate, the list
of these certificates will not be sent to clients.

This seems to be at odds with what I'm experiencing. At first I thought
it was possible that the certificate was sent because I had ssl_stapling
set to on, to ensure OCSP responses are also included, but turning that
option off still sends the intermediate cert when new connections are
being initialized. Only removing the ssl_trusted_certificate line from
my config causes the SSL Test to show that not all intermediate certs
are sent.

A nearly un-modified copy of my configs can be found on Github[3], and I
would very much like to know if my configuration is working because I am
misunderstanding something (by far the most likely), because the docs are
wrong, because there is a bug in Nginx, or something else.

Thanks,
Julian

[1] Mostly by following the SSL Labs Server Test
https://www.ssllabs.com/ssltest/index.html
[2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
[3] https://github.com/orangejulius/https-on-nginx/blob/master/ssl.conf
and https://github.com/orangejulius/https-on-nginx/blob/master/example-site.conf
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Does ssl_trusted_certificate actually send certs to client?

Julian Simioni February 12, 2015 05:04AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin February 12, 2015 08:14AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 01, 2015 07:05AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin March 02, 2015 09:52AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 02, 2015 10:53AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 280
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready