Encrypting TLS client certificates`

Maxim Dounin mdounin at mdounin.ru
Wed Oct 26 15:08:00 UTC 2016


On Tue, Oct 25, 2016 at 07:20:00PM -0400, WGH wrote:

> When nginx requests a client certificate with ssl_verify_client option,
> and client complies, the latter sends its certificate in plain text.
> Although it's just a public part of the certificate, one can consider it
> a kind of information disclosure, since user name, email, organization,
> etc. is transmitted in plain text.
> According to this stackexchange question -
> https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
> - it's technically possible to request client certificate after
> connection is encrypted.
> Is it possible to do that in nginx?

No.  This process requires renegotiation, and renegotiation is 
explicitly rejected by nginx due to security implications it has.

Maxim Dounin

More information about the nginx mailing list