$ssl_client_escaped_cert does not contain intermediate client certificates
Maxim Dounin
mdounin at mdounin.ru
Mon Jul 6 15:10:23 UTC 2020
Hello!
On Sat, Jul 04, 2020 at 05:52:09AM -0400, everhardt wrote:
> I have the following certificate chain: Root certificate > Intermediate
> certificate > End user certificate.
>
> I've set up nginx as an SSL termination proxy for a backend service that
> differentiates it actions based on the serial of the intermediate
> certificate and the subject of the end user certificate. Only the root
> certificate is available at the (nginx) server, the client will present the
> intermediate + end user certificate.
>
> Relevant nginx configuration is as follows:
>
> ssl_client_certificate root_cert.pem; # so only the root certificate
> ssl_verify_client on;
> ssl_verify_depth 2;
>
> proxy_set_header X-Ssl-Client-Escaped-Cert $ssl_client_escaped_cert; # to
> pass it on to the backend service
>
> Connectivity works great: nginx accepts the request if the client (I'm
> testing with curl) presents intermediate + end user certificate and passes
> it on to the backend service. If the client presents only one of the
> certificates, nginx rightly rejects it. So I'm sure curl shares both
> certificates with nginx.
>
> Where it goes wrong, is when nginx passes the certificate information to the
> backend service. The embedded variable $ssl_client_escaped_cert only seems
> to contain the end user certificate and not the intermediate one(s). I did
> some logging to check $ssl_client_raw_cert, but that also only contains the
> end user certificate.
>
> Is there a way to get the intermediate client certificates included in these
> embedded variables?
No. Futher, intermediate certs as sent by the client are not
saved by the OpenSSL into session information, so the approach you
are trying to use is not going to work at all, more or less
universally (or at least it won't work with session resumption).
For things to work, you may want to reconsider the approach and
make sure all intermediate certificates are known on the server
instead.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list