id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2476	Does the nginx supports sending the whole chain of client certificates over the ssl_client_escaped_cert	Preetham777@…		"Hi Team,

I'm trying a setup where the client cert auth is enabled to optional_no_ca, and when the curl is initiated with client cert which is the chain of certificate ( in the order of client, inter CA,  root CA cert). But when checked in the header ssl-client-cert only the client cert is being added and interCA and rootCA are discarded. 
Is is supported by Nginx and if so yes is there any documentation on the same?



here is the trimmed version of nginx 

```
        ssl_certificate     instance3.pem;

        ssl_certificate_key instance3.pem;

        ...

        server {

                ...

                ssl_client_certificate                  ca-pg-ca.pem;

                ssl_verify_client                       optional_no_ca;

                ssl_verify_depth                        4;

                location ~* ""^/"" {

                        ...

                        client_max_body_size                    1m;

                        proxy_set_header Host                   $best_http_host;

                        # Pass the extracted client certificate to the backend

                        proxy_set_header ssl-client-cert        $ssl_client_escaped_cert;

                        proxy_set_header ssl-client-verify      $ssl_client_verify;

                        proxy_set_header ssl-client-subject-dn  $ssl_client_s_dn;

                        proxy_set_header ssl-client-issuer-dn   $ssl_client_i_dn;

                        # Allow websocket connections

                        proxy_set_header                        Upgrade           $http_upgrade;

                        proxy_set_header                        Connection        $connection_upgrade;

                        proxy_set_header X-Request-ID           $req_id;

                        proxy_set_header X-Real-IP              $remote_addr;

                        proxy_set_header X-Forwarded-For        $remote_addr;

                        proxy_set_header X-Forwarded-Host       $best_http_host;

                        proxy_connect_timeout                   5s;

                        proxy_send_timeout                      60s;

                        proxy_read_timeout                      60s;

                        proxy_buffering                         off;

                        proxy_buffer_size                       4k;

                        proxy_buffers                           4 4k;

                        proxy_max_temp_file_size                1024m;

                        proxy_request_buffering                 on;

                        proxy_http_version                      1.1;

                        proxy_cookie_domain                     off;

                        proxy_cookie_path                       off;

                        proxy_redirect  off;

                }

        }
```


* instance3.pem contains the server cert and key in the pem format.
* ca-pg-ca.pem contains only rootCa cert required for the client cert auth.


"	defect	closed	critical		nginx-module	1.22.x	invalid	client-certificate-chain, client-auth	Preetham777@…	Linux rocky8	"```
bash-4.4# nginx -V
nginx version: nginx/1.22.1
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-16) (GCC)
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_auth_request_module --with-http_degradation_module --add-dynamic-module=./3rd_party/njs-master/nginx --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-pcre-jit --without-pcre2 --with-mail --with-mail_ssl_module --with-http_drain_module --with-http_slice_module --with-http_v2_module --with-http_random_index_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_xslt_module --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --without-http_autoindex_module --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/wsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --add-module=./3rd_party/nginx_upstream_check_module --add-module=./3rd_party/nginx-sticky-module --add-module=./3rd_party/nginx-module-sts-master --add-module=./3rd_party/nginx-module-stream-sts-master --add-module=./3rd_party/nginx-module-vts-master --add-module=./3rd_party/ngx_devel_kit-0.3.0 --add-module=./3rd_party/lua-nginx-module-0.10.19 --add-module=./3rd_party/echo-nginx-module-master --add-module=./3rd_party/headers-more-nginx-module-master --add-module=./3rd_party/lua-upstream-nginx-module-master --add-module=./3rd_party/stream-lua-nginx-module-0.0.9 --add-module=./3rd_party/ngx_http_proxy_connect_module-master --add-module=./3rd_party/nginx_cookie_flag_module-master --add-module=./3rd_party/nginx_ajp_module-0.3.2 --add-module=./3rd_party/set-misc-nginx-module-0.32 --add-module=./3rd_party/ngx_http_substitutions_filter_module-master --add-dynamic-module=./3rd_party/ModSecurity-nginx-1.0.3 --with-ld-opt=-Wl,-rpath
```"