Welcome! Log In Create A New Profile

Advanced

Re: Encrypting TLS client certificates`

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
October 26, 2016 11:10AM
Hello!

On Tue, Oct 25, 2016 at 07:20:00PM -0400, WGH wrote:

> When nginx requests a client certificate with ssl_verify_client option,
> and client complies, the latter sends its certificate in plain text.
>
> Although it's just a public part of the certificate, one can consider it
> a kind of information disclosure, since user name, email, organization,
> etc. is transmitted in plain text.
>
> According to this stackexchange question -
> https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
> - it's technically possible to request client certificate after
> connection is encrypted.
>
> Is it possible to do that in nginx?

No. This process requires renegotiation, and renegotiation is
explicitly rejected by nginx due to security implications it has.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Encrypting TLS client certificates`

WGH October 25, 2016 07:20PM

Re: Encrypting TLS client certificates`

Rainer Duffner October 25, 2016 08:12PM

Re: Encrypting TLS client certificates`

Maxim Dounin October 26, 2016 11:10AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 311
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready