Opened 13 months ago
Closed 13 months ago
#2476 closed defect (invalid)
Does the nginx supports sending the whole chain of client certificates over the ssl_client_escaped_cert
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-module | Version: | 1.22.x |
| Keywords: | client-certificate-chain, client-auth | Cc: | Preetham777@… |
| uname -a: | Linux rocky8 | ||
| nginx -V: |
```
bash-4.4# nginx -V nginx version: nginx/1.22.1 built by gcc 8.5.0 20210514 (Red Hat 8.5.0-16) (GCC) built with OpenSSL 1.1.1k FIPS 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_auth_request_module --with-http_degradation_module --add-dynamic-module=./3rd_party/njs-master/nginx --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-pcre-jit --without-pcre2 --with-mail --with-mail_ssl_module --with-http_drain_module --with-http_slice_module --with-http_v2_module --with-http_random_index_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_xslt_module --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --without-http_autoindex_module --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/wsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --add-module=./3rd_party/nginx_upstream_check_module --add-module=./3rd_party/nginx-sticky-module --add-module=./3rd_party/nginx-module-sts-master --add-module=./3rd_party/nginx-module-stream-sts-master --add-module=./3rd_party/nginx-module-vts-master --add-module=./3rd_party/ngx_devel_kit-0.3.0 --add-module=./3rd_party/lua-nginx-module-0.10.19 --add-module=./3rd_party/echo-nginx-module-master --add-module=./3rd_party/headers-more-nginx-module-master --add-module=./3rd_party/lua-upstream-nginx-module-master --add-module=./3rd_party/stream-lua-nginx-module-0.0.9 --add-module=./3rd_party/ngx_http_proxy_connect_module-master --add-module=./3rd_party/nginx_cookie_flag_module-master --add-module=./3rd_party/nginx_ajp_module-0.3.2 --add-module=./3rd_party/set-misc-nginx-module-0.32 --add-module=./3rd_party/ngx_http_substitutions_filter_module-master --add-dynamic-module=./3rd_party/ModSecurity-nginx-1.0.3 --with-ld-opt=-Wl,-rpath ``` |
||
Description (last modified by )
Hi Team,
I'm trying a setup where the client cert auth is enabled to optional_no_ca, and when the curl is initiated with client cert which is the chain of certificate ( in the order of client, inter CA, root CA cert). But when checked in the header ssl-client-cert only the client cert is being added and interCA and rootCA are discarded.
Is is supported by Nginx and if so yes is there any documentation on the same?
here is the trimmed version of nginx
`
ssl_certificate instance3.pem;
ssl_certificate_key instance3.pem;
...
server {
...
ssl_client_certificate ca-pg-ca.pem;
ssl_verify_client optional_no_ca;
ssl_verify_depth 4;
location ~* "/" {
...
client_max_body_size 1m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
proxy_set_header ssl-client-verify $ssl_client_verify;
proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;
proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
proxy_redirect off;
}
}
`
- instance3.pem contains the server cert and key in the pem format.
- ca-pg-ca.pem contains only rootCa cert required for the client cert auth.
Change History (2)
comment:1 by , 13 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 13 months ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The documentation clearly states that the $ssl_client_escaped_cert variable returns the client certificate, and this does not imply any extra certificates sent by the client.
Further, it is not generally possible to obtain extra client certificates: these are only available during the initial SSL handshake, but not on resumed handshakes, since extra certificates are not saved into SSL session data, see ticket #2297 and details here.