Does ssl_trusted_certificate actually send certs to client?

Julian Simioni julian at simioni.org
Thu Feb 12 10:02:34 UTC 2015


Hi all,
I have an Nginx 1.7.6 server serving HTTPS content, and I've been
tweaking the configuration lately to ensure it is secure and
performant[1].

One component of this is ensuring that the intermediate certificate from
my CA is sent along to any clients connecting to my server, to ensure
they don't have to fetch it from somewhere else and risk at best a
longer connection time, and at worst some sort of (unlikely) tampering.

The traditional way to do this, as far as I'm aware, is to concatenate
any intermediate certs, as well as the actual certificate for your
domain, into one file, and then tell Nginx about it using the
ssl_client_certificate directive. This works great, but I wanted to see
if there was a way to keep the different certificates in different
files, just for clarity and ease of maintenance. I put the intermediate
cert in another file and told Nginx about it with the
ssl_trusted_certificate directive, and everything worked great!

However, the docs[2] for ssl_trusted_certificate specifically state the
following:

  In contrast to the certificate set by ssl_client_certificate, the list
  of these certificates will not be sent to clients.

This seems to be at odds with what I'm experiencing. At first I thought
it was possible that the certificate was sent because I had ssl_stapling
set to on, to ensure OCSP responses are also included, but turning that
option off still sends the intermediate cert when new connections are
being initialized. Only removing the ssl_trusted_certificate line from
my config causes the SSL Test to show that not all intermediate certs
are sent.

A nearly un-modified copy of my configs can be found on Github[3], and I
would very much like to know if my configuration is working because I am
misunderstanding something (by far the most likely), because the docs are
wrong, because there is a bug in Nginx, or something else.

Thanks,
Julian

[1] Mostly by following the SSL Labs Server Test
https://www.ssllabs.com/ssltest/index.html
[2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
[3] https://github.com/orangejulius/https-on-nginx/blob/master/ssl.conf
and https://github.com/orangejulius/https-on-nginx/blob/master/example-site.conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150212/5ee2a223/attachment.bin>


More information about the nginx mailing list