Does ssl_trusted_certificate actually send certs to client?
mdounin at mdounin.ru
Thu Feb 12 13:11:48 UTC 2015
On Thu, Feb 12, 2015 at 11:02:34AM +0100, Julian Simioni wrote:
> Hi all,
> I have an Nginx 1.7.6 server serving HTTPS content, and I've been
> tweaking the configuration lately to ensure it is secure and
> One component of this is ensuring that the intermediate certificate from
> my CA is sent along to any clients connecting to my server, to ensure
> they don't have to fetch it from somewhere else and risk at best a
> longer connection time, and at worst some sort of (unlikely) tampering.
> The traditional way to do this, as far as I'm aware, is to concatenate
> any intermediate certs, as well as the actual certificate for your
> domain, into one file, and then tell Nginx about it using the
> ssl_client_certificate directive. This works great, but I wanted to see
> if there was a way to keep the different certificates in different
> files, just for clarity and ease of maintenance. I put the intermediate
> cert in another file and told Nginx about it with the
> ssl_trusted_certificate directive, and everything worked great!
Both ssl_client_certificate and ssl_trusted_certificate will load
certificates to the trusted store, and OpenSSL will use these
certs to build the certificate chain at runtime if one wasn't
That is, it's a [mis]feature of the OpenSSL library which leads to
While one can use this to construct certificate chains as of now,
it's not a recommended approach because:
- this consumes more CPU power, as the chain will be constructed
- this is not something we (at least I) consider to be a good
feature, and if/when it will be possible to stop OpenSSL from
doing this - we'll do so.
> However, the docs for ssl_trusted_certificate specifically state the
> In contrast to the certificate set by ssl_client_certificate, the list
> of these certificates will not be sent to clients.
This note is not about certificate chain sent to the client, but
about the _list_ of certificates sent to clients while requesting
client certificates. See RFC5246, 7.4.4. Certificate Request,
https://tools.ietf.org/html/rfc5246#section-7.4.4 - the list is
sent in the certificate_authorities field of the Certificate
Request message to let clients know which authorities are accepted
by the server.
More information about the nginx