client certificate to upstream via nginx

Maxim Dounin mdounin at mdounin.ru
Wed Mar 29 21:39:33 UTC 2023


Hello!

On Wed, Mar 29, 2023 at 01:13:10PM +0530, Vishwas Bm wrote:

> We have a client certificate in pem format and it is having below content
> and all these certificates are present in a single file.
> serverCertificate -> intermediate CA -> rootCA
> 
> Now in the nginx.conf have below directives set:

[...]

> *  proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *

[...]

> So based on above only the client certificate is sent to the upstream
> server but our expectation was that the complete pem contents including all
> the 3 certs (client, intermediate and root) will be sent to the backend.
> 
> Is our expectation correct or wrong ?
> Any change has to be done to handle this ?

I've already replied in the ticket #2476, which I assume is 
created by you (https://trac.nginx.org/nginx/ticket/2476).  For 
the record:

The $ssl_client_escaped_cert variable is expected to contain only 
the client certificate, and not the additional/extra certificates 
sent by the client.  This matches the behaviour you are seeing.

Further, it is not generally possible to provide a variable with 
extra certificates sent by the client: these certificates are not 
saved into the session data and therefore not available in resumed 
SSL sessions, see ticket #2297 
(https://trac.nginx.org/nginx/ticket/2297) and here:

https://mailman.nginx.org/pipermail/nginx-devel/2022-January/L3RBOEOUD5OFU23DYJAJG775ZJDASNEF.html

Summing the above, it might be a good idea to reconsider the setup 
you are using.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list