> Am 26.10.2016 um 01:20 schrieb WGH <nginx-forum@forum.nginx.org>:
>
> When nginx requests a client certificate with ssl_verify_client option,
> and client complies, the latter sends its certificate in plain text.
>
> Although it's just a public part of the certificate, one can consider it
> a kind of information disclosure, since user name, email, organization,
> etc. is transmitted in plain text.
>
> According to this stackexchange question -
> https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
> - it's technically possible to request client certificate after
> connection is encrypted.
>
> Is it possible to do that in nginx?
>


Interesting.
Is that also the case if you’ve got HSTS enabled?

We have clients sending around ssl private keys by email (I wouldn’t be surprised if „somebody“ was harvesting those off the internet - but people usually don’t care…) - so your case is very much a luxury-problem for me.








_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx