Hello! On Wed, Mar 29, 2023 at 01:13:10PM +0530, Vishwas Bm wrote:
> We have a client certificate in pem format and it is having below content > and all these certificates are present in a single file. > serverCertificate -> intermediate CA -> rootCA > > Now in the nginx.conf have below directives set: [...] > * proxy_set_header ssl-client-cert $ssl_client_escaped_cert; * [...] > So based on above only the client certificate is sent to the upstream > server but our expectation was that the complete pem contents including all > the 3 certs (client, intermediate and root) will be sent to the backend. > > Is our expectation correct or wrong ? > Any change has to be done to handle this ? I've already replied in the ticket #2476, which I assume is created by you (https://trac.nginx.org/nginx/ticket/2476). For the record: The $ssl_client_escaped_cert variable is expected to contain only the client certificate, and not the additional/extra certificates sent by the client. This matches the behaviour you are seeing. Further, it is not generally possible to provide a variable with extra certificates sent by the client: these certificates are not saved into the session data and therefore not available in resumed SSL sessions, see ticket #2297 (https://trac.nginx.org/nginx/ticket/2297) and here: https://mailman.nginx.org/pipermail/nginx-devel/2022-January/L3RBOEOUD5OFU23DYJAJG775ZJDASNEF.html Summing the above, it might be a good idea to reconsider the setup you are using. Hope this helps. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
