#2476 closed defect (invalid)

Does the nginx supports sending the whole chain of client certificates over the ssl_client_escaped_cert

Reported by: Preetham777@… Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.22.x
Keywords: client-certificate-chain, client-auth Cc: Preetham777@…
uname -a: Linux rocky8
nginx -V: ```
bash-4.4# nginx -V
nginx version: nginx/1.22.1
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-16) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_auth_request_module --with-http_degradation_module --add-dynamic-module=./3rd_party/njs-master/nginx --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-pcre-jit --without-pcre2 --with-mail --with-mail_ssl_module --with-http_drain_module --with-http_slice_module --with-http_v2_module --with-http_random_index_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_xslt_module --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --without-http_autoindex_module --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/wsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --add-module=./3rd_party/nginx_upstream_check_module --add-module=./3rd_party/nginx-sticky-module --add-module=./3rd_party/nginx-module-sts-master --add-module=./3rd_party/nginx-module-stream-sts-master --add-module=./3rd_party/nginx-module-vts-master --add-module=./3rd_party/ngx_devel_kit-0.3.0 --add-module=./3rd_party/lua-nginx-module-0.10.19 --add-module=./3rd_party/echo-nginx-module-master --add-module=./3rd_party/headers-more-nginx-module-master --add-module=./3rd_party/lua-upstream-nginx-module-master --add-module=./3rd_party/stream-lua-nginx-module-0.0.9 --add-module=./3rd_party/ngx_http_proxy_connect_module-master --add-module=./3rd_party/nginx_cookie_flag_module-master --add-module=./3rd_party/nginx_ajp_module-0.3.2 --add-module=./3rd_party/set-misc-nginx-module-0.32 --add-module=./3rd_party/ngx_http_substitutions_filter_module-master --add-dynamic-module=./3rd_party/ModSecurity-nginx-1.0.3 --with-ld-opt=-Wl,-rpath
```

Description (last modified by Preetham777@…)

Hi Team,

I'm trying a setup where the client cert auth is enabled to optional_no_ca, and when the curl is initiated with client cert which is the chain of certificate ( in the order of client, inter CA, root CA cert). But when checked in the header ssl-client-cert only the client cert is being added and interCA and rootCA are discarded.
Is is supported by Nginx and if so yes is there any documentation on the same?

here is the trimmed version of nginx

`

ssl_certificate instance3.pem;

ssl_certificate_key instance3.pem;

...

server {

...

ssl_client_certificate ca-pg-ca.pem;

ssl_verify_client optional_no_ca;

ssl_verify_depth 4;

location ~* "/" {

...

client_max_body_size 1m;

proxy_set_header Host $best_http_host;

# Pass the extracted client certificate to the backend

proxy_set_header ssl-client-cert $ssl_client_escaped_cert;

proxy_set_header ssl-client-verify $ssl_client_verify;

proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;

proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;

# Allow websocket connections

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header X-Request-ID $req_id;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-Host $best_http_host;

proxy_connect_timeout 5s;

proxy_send_timeout 60s;

proxy_read_timeout 60s;

proxy_buffering off;

proxy_buffer_size 4k;

proxy_buffers 4 4k;

proxy_max_temp_file_size 1024m;

proxy_request_buffering on;

proxy_http_version 1.1;

proxy_cookie_domain off;

proxy_cookie_path off;

proxy_redirect off;

}

}

`

  • instance3.pem contains the server cert and key in the pem format.
  • ca-pg-ca.pem contains only rootCa cert required for the client cert auth.

Change History (2)

comment:1 by Preetham777@…, 21 months ago

Description: modified (diff)

comment:2 by Maxim Dounin, 21 months ago

Resolution: invalid
Status: newclosed

Is is supported by Nginx and if so yes is there any documentation on the same?

The documentation clearly states that the $ssl_client_escaped_cert variable returns the client certificate, and this does not imply any extra certificates sent by the client.

Further, it is not generally possible to obtain extra client certificates: these are only available during the initial SSL handshake, but not on resumed handshakes, since extra certificates are not saved into SSL session data, see ticket #2297 and details here.

Note: See TracTickets for help on using tickets.