Option to fail TLS handshake on bad client cert

Jason Wang jwang60606 at gmail.com
Wed Nov 13 19:03:45 UTC 2019


I'm using nginx to proxy gRPC requests that have the client authenticate
with a client certificate. When connecting directly to Go's gRPC server
with an untrusted client certificate or with no client certificate when one
is required, the server will fail the TLS handshake. I believe it would be
useful if nginx supported enabling this behavior.

This behavior is useful because it allows clients to know that they are not
authenticated when they dial as opposed to on making a gRPC request.
Additionally, failing the TLS handshake removes the need for the error
pages served to the client indicating a untrusted certificate to have the
Content-Type, gprc-status, and grpc-message headers set.

Would the project be open to implementing this or accepting patches based
on this rationale?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20191113/2607f727/attachment.htm>

More information about the nginx-devel mailing list