client certificate to upstream via nginx

V
Vishwas
  • 29 Mar '23
Hi

We have a client certificate in pem format and it is having below content
and all these certificates are present in a single file.
serverCertificate -> intermediate CA -> rootCA

Now in the nginx.conf have below directives set:

`
server {
 ...
 ssl_client_certificate ca-pg-ca.pem;
* ssl_verify_client optional_no_ca; *
 ssl_verify_depth 4;

 location ~* "^/" {
  ...
  proxy_set_header Host $best_http_host;

  # Pass the extracted client certificate to the backend
*  proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *
  proxy_set_header ssl-client-verify $ssl_client_verify;
  proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;
  proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;

  }

}`

Now in the nginx logs we see below traces:

`
{"message":"83#83: *874 http script var: '10.15.176.110:10443'"}
{"message":"83#83: *874 http script copy: 'ssl-client-cert'"}
{"message":"83#83: *874 http script var:
'-----BEGIN%20CERTIFICATE-----<ONLY_CLIENT_CERTIFICATE_IS_PRESENT_WITHOUT_INTERMEDIATE>-----END%20CERTIFICATE-----%0A'"}}

{"message":"83#83: *874 http script copy: 'ssl-client-verify'"}}
{"message":"83#83: *874 http script var: 'SUCCESS'"}}
{"message":"83#83: *874 http script copy: 'ssl-client-subject-dn'"}}
{"message":"83#83: *874 http script var:
'CN=clientcert.com,O=ABCD,L=Ba,ST=Ka,C=US'"}}

{"message":"83#83: *874 http script copy: 'ssl-client-issuer-dn'"}}
{"message":"83#83: *874 http script var:
'CN=intermediateca.com,O=Nk,ST=Ka,C=US'"}}

`

So based on above only the client certificate is sent to the upstream
server but our expectation was that the complete pem contents including all
the 3 certs (client, intermediate and root) will be sent to the backend.

Is our expectation correct or wrong ?
Any change has to be done to handle this ?

Nginx version used: 1.22.1

*Thanks & Regards,*

*Vishwas *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230329/ad593ab6/attachment.htm>
M
Maxim
  • 29 Mar '23
Hello!

On Wed, Mar 29, 2023 at 01:13:10PM +0530, Vishwas Bm wrote:

> We have a client certificate in pem format and it is having below content
> and all these certificates are present in a single file.
> serverCertificate -> intermediate CA -> rootCA
> 
> Now in the nginx.conf have below directives set:

[...]

> *  proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *

[...]

> So based on above only the client certificate is sent to the upstream
> server but our expectation was that the complete pem contents including all
> the 3 certs (client, intermediate and root) will be sent to the backend.
> 
> Is our expectation correct or wrong ?
> Any change has to be done to handle this ?

I've already replied in the ticket #2476, which I assume is 
created by you (https://trac.nginx.org/nginx/ticket/2476).  For 
the record:

The $ssl_client_escaped_cert variable is expected to contain only 
the client certificate, and not the additional/extra certificates 
sent by the client.  This matches the behaviour you are seeing.

Further, it is not generally possible to provide a variable with 
extra certificates sent by the client: these certificates are not 
saved into the session data and therefore not available in resumed 
SSL sessions, see ticket #2297 
(https://trac.nginx.org/nginx/ticket/2297) and here:

https://mailman.nginx.org/pipermail/nginx-devel/2022-January/L3RBOEOUD5OFU23DYJAJG775ZJDASNEF.html

Summing the above, it might be a good idea to reconsider the setup 
you are using.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/
  • Page 1 of 1
Reply