$ssl_client_escaped_cert does not contain intermediate client certificates

Maxim Dounin mdounin at mdounin.ru
Tue Jul 7 00:47:13 UTC 2020


On Mon, Jul 06, 2020 at 03:55:05PM -0400, everhardt wrote:

> Thanks for your reply, Maxim! I'll work out an alternative then. 
> Re. session resumption, I read in the OpenSSL docs
> (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html)
> that OpenSSL is willing to store the chain longer than a single request, but
> only if the implementing application (nginx) is managing freeing it at the
> proper time (eg. when the session times out):
> > If applications wish to use any certificates in the returned chain
> indefinitely they must increase the reference counts using X509_up_ref() or
> obtain a copy of the whole chain with X509_chain_up_ref().

This quote is about how to use the chain if it is returned.  The 
problem is that the chain is _not_ returned for resumed sessions, 
and there is no way to obtain it for a resumed session as long as 
the chain uses intermediate certificates provided by the client.  
Saving the chain somewhere once session is established may work as 
a band-aid in some simple cases, but certainly not an option in 
general for multiple reasons, including the fact that this won't 
work with TLS session tickets when there is no server-side state.

Maxim Dounin

More information about the nginx mailing list