Encrypting TLS client certificates`
WGH
nginx-forum at forum.nginx.org
Tue Oct 25 23:20:00 UTC 2016
When nginx requests a client certificate with ssl_verify_client option,
and client complies, the latter sends its certificate in plain text.
Although it's just a public part of the certificate, one can consider it
a kind of information disclosure, since user name, email, organization,
etc. is transmitted in plain text.
According to this stackexchange question -
https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
- it's technically possible to request client certificate after
connection is encrypted.
Is it possible to do that in nginx?
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270558,270558#msg-270558
More information about the nginx
mailing list