Re: $ssl_client_escaped_cert does not contain intermediate client certificates

2020-07-07 Thread everhardt
Hi Maxim, I, naively maybe, thought the following would work. At an incoming request, nginx checks whether the session is new or resumed. * new: it retrieves the chain, calls X509_chain_up_ref and stores a mapping from session ID to the chain pointer * resumed: it retrieves the session ID, looks

Re: $ssl_client_escaped_cert does not contain intermediate client certificates

2020-07-06 Thread Maxim Dounin
Hello! On Mon, Jul 06, 2020 at 03:55:05PM -0400, everhardt wrote: > Thanks for your reply, Maxim! I'll work out an alternative then. > > Re. session resumption, I read in the OpenSSL docs > (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html) > that OpenSSL is willing to st

Re: $ssl_client_escaped_cert does not contain intermediate client certificates

2020-07-06 Thread everhardt
Thanks for your reply, Maxim! I'll work out an alternative then. Re. session resumption, I read in the OpenSSL docs (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html) that OpenSSL is willing to store the chain longer than a single request, but only if the implementing appli

Re: $ssl_client_escaped_cert does not contain intermediate client certificates

2020-07-06 Thread Maxim Dounin
Hello! On Sat, Jul 04, 2020 at 05:52:09AM -0400, everhardt wrote: > I have the following certificate chain: Root certificate > Intermediate > certificate > End user certificate. > > I've set up nginx as an SSL termination proxy for a backend service that > differentiates it actions based on the

$ssl_client_escaped_cert does not contain intermediate client certificates

2020-07-04 Thread everhardt
I have the following certificate chain: Root certificate > Intermediate certificate > End user certificate. I've set up nginx as an SSL termination proxy for a backend service that differentiates it actions based on the serial of the intermediate certificate and the subject of the end user certif