$ssl_client_escaped_cert does not contain intermediate client certificates

everhardt nginx-forum at forum.nginx.org
Mon Jul 6 19:55:05 UTC 2020

Thanks for your reply, Maxim! I'll work out an alternative then. 

Re. session resumption, I read in the OpenSSL docs
that OpenSSL is willing to store the chain longer than a single request, but
only if the implementing application (nginx) is managing freeing it at the
proper time (eg. when the session times out):
> If applications wish to use any certificates in the returned chain
indefinitely they must increase the reference counts using X509_up_ref() or
obtain a copy of the whole chain with X509_chain_up_ref().

ps. I now see that HAProxy is also discussing it:

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288553,288596#msg-288596

More information about the nginx mailing list