Accepting Multiple TLS Client Certificates

Francis Daly francis at daoine.org
Tue Jun 25 22:27:46 UTC 2019


On Mon, Jun 24, 2019 at 04:58:48PM +0200, Johannes Gehrs wrote:

Hi there,

> as per our understanding one can provide a file with multiple certificates
> as "ssl_client_certificate". Nginx would then accept any one of the
> certificates. 

http://nginx.org/r/ssl_client_certificate has slightly different
words for what it does. It also refers to the "ssl_verify_client" and
"ssl_trusted_certificate" directives.

> In our test case we provided a chain of two certificates, a root cert and
> the client certs signed by this CA. We tried both, concatenating the files
> like this: "user1 user2 ca" and like this "user1 ca user2 ca". In all cases
> just the first certificate was accepted.
> 
> Are we misunderstanding the expected behaviour of nginx, or is this a bug,
> or are we maybe doing something wrong?

Can you provide a config that shows the problem that you report?

>From your description, only the ca cert needs to be in the file; but
I think that including the other certs should not break anything. Can
you tell, are there the expected newlines in the file, between the certs?

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list