Opened 2 years ago

Closed 2 years ago

Last modified 14 months ago

#2297 closed enhancement (wontfix)

Nginx does not provide option to read the certificate chain

Reported by: MandeepSinghChhabra@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: Cc: MandeepSinghChhabra@…
uname -a: Linux 71de78ac83ec 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 Linux
nginx -V: nginx version: nginx/1.21.4
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1l 24 Aug 2021
TLS SNI support enabled


There is a server which has two known local CAs. One is a root ca (which is a self signed ca) and the other is an intermediate ca , signed by the root ca. Intermediate CA has issued a client certificate which is
shared with the client along with the chain(intermediate + root).

The chain looks as following:

ClientCert -> IntermediateCACert -> RootCACert

root ca certificate is the CA certificate which has been added in the trusted CA certificate list for the web.

From the client side, the chain is being used to establish the connection with the server. The connection gets established successfully.

Nginx does the SSL termination. Although there are options to fetch the client certificate (only the leaf certificate, using variable ssl_client_cert), there is no way to get the entire chain of certificates from Nginx.

Change History (3)

comment:1 by Maxim Dounin, 2 years ago

For the record, the reporter submitted a patch to address this. Here is the initial review. The main question is:

You may want to be more specific about which problem you are trying to solve. In particular, all root and intermediate certificates are expected to be known on the server. If they aren't for some reason, it might be a good idea to clarify why they aren't known or reconsider particular configuration.

comment:2 by Maxim Dounin, 2 years ago

Resolution: wontfix
Status: newclosed

For the record, see additional comments here. In the particular use case checking $ssl_client_i_dn should be enough. Further, it is not really possible to provide full certificate chain, since it is not available for resumed SSL sessions.

comment:3 by Maxim Dounin, 14 months ago

See also #2476.

Note: See TracTickets for help on using tickets.