Encrypting TLS client certificates`
Rainer Duffner
rainer at ultra-secure.de
Wed Oct 26 00:11:30 UTC 2016
> Am 26.10.2016 um 01:20 schrieb WGH <nginx-forum at forum.nginx.org>:
>
> When nginx requests a client certificate with ssl_verify_client option,
> and client complies, the latter sends its certificate in plain text.
>
> Although it's just a public part of the certificate, one can consider it
> a kind of information disclosure, since user name, email, organization,
> etc. is transmitted in plain text.
>
> According to this stackexchange question -
> https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
> - it's technically possible to request client certificate after
> connection is encrypted.
>
> Is it possible to do that in nginx?
>
Interesting.
Is that also the case if you’ve got HSTS enabled?
We have clients sending around ssl private keys by email (I wouldn’t be surprised if „somebody“ was harvesting those off the internet - but people usually don’t care…) - so your case is very much a luxury-problem for me.
More information about the nginx
mailing list