$ssl_client_escaped_cert does not contain intermediate client certificates

everhardt nginx-forum at forum.nginx.org
Mon Jul 6 19:55:05 UTC 2020


Thanks for your reply, Maxim! I'll work out an alternative then. 

Re. session resumption, I read in the OpenSSL docs
(https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html)
that OpenSSL is willing to store the chain longer than a single request, but
only if the implementing application (nginx) is managing freeing it at the
proper time (eg. when the session times out):
> If applications wish to use any certificates in the returned chain
indefinitely they must increase the reference counts using X509_up_ref() or
obtain a copy of the whole chain with X509_chain_up_ref().

ps. I now see that HAProxy is also discussing it:
https://www.mail-archive.com/haproxy@formilux.org/msg35607.html

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288553,288596#msg-288596



More information about the nginx mailing list