Welcome! Log In Create A New Profile

Re: $ssl_client_escaped_cert does not contain intermediate client certificates

Forum List Message List New Topic Print View

Maxim Dounin

July 06, 2020 11:12AM

Hello!

On Sat, Jul 04, 2020 at 05:52:09AM -0400, everhardt wrote:

> I have the following certificate chain: Root certificate > Intermediate
> certificate > End user certificate.
>
> I've set up nginx as an SSL termination proxy for a backend service that
> differentiates it actions based on the serial of the intermediate
> certificate and the subject of the end user certificate. Only the root
> certificate is available at the (nginx) server, the client will present the
> intermediate + end user certificate.
>
> Relevant nginx configuration is as follows:
>
> ssl_client_certificate root_cert.pem; # so only the root certificate
> ssl_verify_client on;
> ssl_verify_depth 2;
>
> proxy_set_header X-Ssl-Client-Escaped-Cert $ssl_client_escaped_cert; # to
> pass it on to the backend service
>
> Connectivity works great: nginx accepts the request if the client (I'm
> testing with curl) presents intermediate + end user certificate and passes
> it on to the backend service. If the client presents only one of the
> certificates, nginx rightly rejects it. So I'm sure curl shares both
> certificates with nginx.
>
> Where it goes wrong, is when nginx passes the certificate information to the
> backend service. The embedded variable $ssl_client_escaped_cert only seems
> to contain the end user certificate and not the intermediate one(s). I did
> some logging to check $ssl_client_raw_cert, but that also only contains the
> end user certificate.
>
> Is there a way to get the intermediate client certificates included in these
> embedded variables?

No. Futher, intermediate certs as sent by the client are not
saved by the OpenSSL into session information, so the approach you
are trying to use is not going to work at all, more or less
universally (or at least it won't work with session resumption).
For things to work, you may want to reconsider the approach and
make sure all intermediate certificates are known on the server
instead.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
$ssl_client_escaped_cert does not contain intermediate client certificates	everhardt	July 04, 2020 05:52AM
Re: $ssl_client_escaped_cert does not contain intermediate client certificates	Maxim Dounin	July 06, 2020 11:12AM
Re: $ssl_client_escaped_cert does not contain intermediate client certificates	everhardt	July 06, 2020 03:55PM
Re: $ssl_client_escaped_cert does not contain intermediate client certificates	Maxim Dounin	July 06, 2020 08:48PM
Re: $ssl_client_escaped_cert does not contain intermediate client certificates	everhardt	July 07, 2020 03:18AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 250

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018