Hi,
I have a use case where I want to proxy client certificate to upstream services but do not want to validate cert on Nginx.
I have a single server and the following SSL configuration -
server {
listen 443 ssl;
server_name server.app1;
ssl on;
ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_verify_client off;
}
And my client uses openssl to make a request similar to below-
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443
With this request, I have no issue, I don't validate the request on nginx and receive the cert on upstream service.
But when I add SNI (Server Name Indication) extension to OpenSSL, I don't receive the certificate -
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443 -servername server.app1
Both the above cases had the same SSL configuration ( ssl_verify_client off;). So I'm confused as to why adding SNI should change nginx behavior
A wireshark capture revealed that when SNI is disabled, nginx doesn't make a certificate request to client-
Client-verify off (without servername) : Server Hello, Server Key Exchange, Certificate Request, Server Hello Done
Client-verify off + servername : Server Hello, Certificate, Server Key Exchange, Server Hello Done
Does anyone know why nginx doesn't make a certificate request only with SNI disabled? (I might expect it not to ask for client cert in both the cases but not different behavior in each case)
I have a use case where I want to proxy client certificate to upstream services but do not want to validate cert on Nginx.
I have a single server and the following SSL configuration -
server {
listen 443 ssl;
server_name server.app1;
ssl on;
ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_verify_client off;
}
And my client uses openssl to make a request similar to below-
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443
With this request, I have no issue, I don't validate the request on nginx and receive the cert on upstream service.
But when I add SNI (Server Name Indication) extension to OpenSSL, I don't receive the certificate -
/usr/bin/openssl s_client -cert client.pem -key client.key -connect server.app1 :443 -servername server.app1
Both the above cases had the same SSL configuration ( ssl_verify_client off;). So I'm confused as to why adding SNI should change nginx behavior
A wireshark capture revealed that when SNI is disabled, nginx doesn't make a certificate request to client-
Client-verify off (without servername) : Server Hello, Server Key Exchange, Certificate Request, Server Hello Done
Client-verify off + servername : Server Hello, Certificate, Server Key Exchange, Server Hello Done
Does anyone know why nginx doesn't make a certificate request only with SNI disabled? (I might expect it not to ask for client cert in both the cases but not different behavior in each case)