Encrypting TLS client certificates`
Maxim Dounin
mdounin at mdounin.ru
Wed Oct 26 15:08:00 UTC 2016
Hello!
On Tue, Oct 25, 2016 at 07:20:00PM -0400, WGH wrote:
> When nginx requests a client certificate with ssl_verify_client option,
> and client complies, the latter sends its certificate in plain text.
>
> Although it's just a public part of the certificate, one can consider it
> a kind of information disclosure, since user name, email, organization,
> etc. is transmitted in plain text.
>
> According to this stackexchange question -
> https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
> - it's technically possible to request client certificate after
> connection is encrypted.
>
> Is it possible to do that in nginx?
No. This process requires renegotiation, and renegotiation is
explicitly rejected by nginx due to security implications it has.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list