Issue with SSL client certificate

scunningham nginx-forum at
Thu Oct 22 17:06:30 MSD 2009

Thank you for responding so quickly.

When HTTPS server requests a client to send certificate, it must send
one or more Distinguished Names in the request. Otherwise the client does
not know what it should send (the client may have many certificate for
different servers). OpenSSL gets these Name from the provided CA certificate.

snipped from Section 7.4.4, Certificate Request, of RFC 5246, TLS Version 1.2 as follows:
      A list of the distinguished names  of acceptable
      certificate_authorities, represented in DER-encoded format.  These
      distinguished names may specify a desired distinguished name for a
      root CA or for a subordinate CA; thus, this message can be used to
      describe known roots as well as a desired authorization space.  If
      the certificate_authorities list is empty, then the client MAY
      send any certificate of the appropriate ClientCertificateType,
      unless there is some external arrangement to the contrary.

My interpretation of this clause is that the "certficate_authorities" list is optional, so it is legal to have a zero sized list of distinguished names.  OpenSSL seems to handle the zero case fine, generating a CertificateRequest packet that looks like this (example from Wireshark):

Handshake Protocol: Certificate Request
  Handshake Type: Certificate Request (13)
  Length: 9
  Certificate types count: 6
  Certificate types (6 types)
    Certificate type: RSA Fixed DH (3)
    Certificate type: DSS Fixed DH (4)
    Certificate type: Unknown (5)
    Certificate type: Unknown (6)
    Certificate type: RSA Sign (1)
    Certificate type: DSS Sign (2)
  Distinguished Names Length: 0

The client then responds with whatever cert it deems appropriate, which the server may validate or chose to ignore.

Thanks for your time.

Posted at Nginx Forum:,15584,15888#msg-15888

More information about the nginx mailing list