[PATCH] Add provision to fetch certificate chain from Nginx

Maxim Dounin mdounin at mdounin.ru
Tue Jan 11 20:41:21 UTC 2022


On Thu, Dec 30, 2021 at 09:35:26AM +0000, CHHABRA Mandeep Singh wrote:

> As far as my understanding goes, the intermediate CA 
> certificates are not required to be known to the server.
> It is only the trust anchor(the root CA certificate) which is 
> required to be known and trusted on the sever.
> And in our case also, the root CA certificate is trusted for the 
> web. 

Sure, intermediate certificates are not required to be known by 
the server and can be provided by the client in the extra 
certificates during SSL/TLS handshake.

Such configurations are believed to be extremely rare though: in 
most cases intermediate certificates are well known and can be 
easily configured on the server side, and this saves extra 
configuration on clients.

Further, it is not really possible to properly retrieve such 
client-provided intermediate certificates after the initial 
handshake: these certificates are not saved to the session data 
and therefore not available after session reuse, see 
7653:8409f9df6219 (http://hg.nginx.org/nginx/rev/8409f9df6219).

Hence the original question about the problem you trying to solve.

> I have tried to give a brief of the problem in the following 
> section.
> We have a product which supports multi-tenancy and uses Nginx as 
> a reverse proxy.
> There are different isolated domains which share the same trust 
> anchor. But there could be difference
> in the client certificate chain in different domains. There is a 
> need to do some extra validations based on the CAs in the chain. 
> To be more precise, we have option to specify if a CA could be 
> used to
> do client or user authentication. There is a possibility that in 
> one domain, a CA is enabled for client authentication and in 
> another , the same CA is disabled.
> So, we need a way to get the certificate chain from Nginx, to do 
> these extra validations, apart from what Nginx does i.e. 
> checking if the chain could be verified.
> But there is no way to get the chain, today.

Not sure I've understood your description correctly, but from what 
I understood it looks like you are not trying to retrieve 
client-provided intermediate certificates, but instead trying to 
do additional checking on the chain which contains client-provided 
end certificate and the chain constructed by nginx from the 
intermediate certificates known on the server during certificate 
verification.  That is, you have something like:

- Root CA, Intermediate1 CA, Intermediate2 CA - all known on the 

- Client certs signed by Intermediate1 CA;

- Client certs signed by Intermediate2 CA.

And you want to allow access only to certificates signed by 
Intermediate1 CA in some cases, and only certificates signed by 
Intermediate2 CA in other cases.  Is that correct?

Such problem seems to be solvable by just looking at 
$ssl_client_escaped_cert and re-creating the certificate chain 
from the list of CA certificates known on the server.  In simple 
cases (assuming all intermediate CA DNs are unique) just checking 
the $ssl_client_i_dn variable would be enough.

Does it look reasonable, or I misunderstood something?

Maxim Dounin

More information about the nginx-devel mailing list