$ssl_client_escaped_cert does not contain intermediate client certificates

everhardt nginx-forum at forum.nginx.org
Tue Jul 7 07:18:36 UTC 2020

Hi Maxim,

I, naively maybe, thought the following would work. At an incoming request,
nginx checks whether the session is new or resumed. 
* new: it retrieves the chain, calls X509_chain_up_ref and stores a mapping
from session ID to the chain pointer
* resumed: it retrieves the session ID, looks up the pointer from the
mapping and retrieves the chain from the pointer

At session timeout nginx should drop the session ID from the mapping and
calls X509_free on each certificate in the chain.


Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288553,288600#msg-288600

More information about the nginx mailing list