Hello!

On Fri, Jan 08, 2016 at 03:33:56AM -0500, atsushi2550 wrote:

> Hi there,
>
> I'm trying to set up reverse proxy server with client authentication.
>
> --- Environment ---
> My CA is 2 tier.
> Root CA - intermediate CA - Client Certificate.
>
> --- Problem Discripton ---
> When I accessed proxy server from laptop pc,
> only the correct client certificate was suggested,
> and authenticate successfully.
>
> But when I accessed proxy server from android phone,
> ALL installed client certificate was suggested,
> and if I choose *wrong client certificate authenticate successfully.
>
> *wrong client certificate : certificate that Root CA is same but
> intermediate CA is different,

It's not possible to limit client authentication to only allow
certs issued by an intermediate CA. All certificates which can be
verified up to the trusted root CA are allowed.

If you need to additionally limit access to only allow certain
certs, you can do so based on variables provided by the SSL
module, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

Something like

if ($ssl_client_i_dn != "...") {
return 403;
}

should be appropriate in your case.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx