$ssl_client_escaped_cert does not contain intermediate client certificates

Maxim Dounin mdounin at mdounin.ru
Mon Jul 6 15:10:23 UTC 2020


On Sat, Jul 04, 2020 at 05:52:09AM -0400, everhardt wrote:

> I have the following certificate chain: Root certificate > Intermediate
> certificate > End user certificate. 
> I've set up nginx as an SSL termination proxy for a backend service that
> differentiates it actions based on the serial of the intermediate
> certificate and the subject of the end user certificate. Only the root
> certificate is available at the (nginx) server, the client will present the
> intermediate + end user certificate.
> Relevant nginx configuration is as follows:
> ssl_client_certificate root_cert.pem; # so only the root certificate
> ssl_verify_client on;
> ssl_verify_depth 2;
> proxy_set_header X-Ssl-Client-Escaped-Cert $ssl_client_escaped_cert; # to
> pass it on to the backend service
> Connectivity works great: nginx accepts the request if the client (I'm
> testing with curl) presents intermediate + end user certificate and passes
> it on to the backend service. If the client presents only one of the
> certificates, nginx rightly rejects it. So I'm sure curl shares both
> certificates with nginx.
> Where it goes wrong, is when nginx passes the certificate information to the
> backend service. The embedded variable $ssl_client_escaped_cert only seems
> to contain the end user certificate and not the intermediate one(s). I did
> some logging to check $ssl_client_raw_cert, but that also only contains the
> end user certificate. 
> Is there a way to get the intermediate client certificates included in these
> embedded variables?

No.  Futher, intermediate certs as sent by the client are not 
saved by the OpenSSL into session information, so the approach you 
are trying to use is not going to work at all, more or less 
universally (or at least it won't work with session resumption).  
For things to work, you may want to reconsider the approach and 
make sure all intermediate certificates are known on the server 

Maxim Dounin

More information about the nginx mailing list