client certificate to upstream via nginx
Maxim Dounin
mdounin at mdounin.ru
Wed Mar 29 21:39:33 UTC 2023
Hello!
On Wed, Mar 29, 2023 at 01:13:10PM +0530, Vishwas Bm wrote:
> We have a client certificate in pem format and it is having below content
> and all these certificates are present in a single file.
> serverCertificate -> intermediate CA -> rootCA
>
> Now in the nginx.conf have below directives set:
[...]
> * proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *
[...]
> So based on above only the client certificate is sent to the upstream
> server but our expectation was that the complete pem contents including all
> the 3 certs (client, intermediate and root) will be sent to the backend.
>
> Is our expectation correct or wrong ?
> Any change has to be done to handle this ?
I've already replied in the ticket #2476, which I assume is
created by you (https://trac.nginx.org/nginx/ticket/2476). For
the record:
The $ssl_client_escaped_cert variable is expected to contain only
the client certificate, and not the additional/extra certificates
sent by the client. This matches the behaviour you are seeing.
Further, it is not generally possible to provide a variable with
extra certificates sent by the client: these certificates are not
saved into the session data and therefore not available in resumed
SSL sessions, see ticket #2297
(https://trac.nginx.org/nginx/ticket/2297) and here:
https://mailman.nginx.org/pipermail/nginx-devel/2022-January/L3RBOEOUD5OFU23DYJAJG775ZJDASNEF.html
Summing the above, it might be a good idea to reconsider the setup
you are using.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list