Hello! On Fri, Jun 14, 2019 at 06:09:22AM -0400, niegus wrote:
> Hi, > > I have my nginx configured with client_certificate authentication: > > ssl_client_certificate /etc/nginx/ssl/cas.pem; > ssl_verify_client optional; > ssl_verify_depth 2; > And is working fine, but I need to NOT send the CAs to the client during the > handshake. > > I've seen > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate > in the documentation. So, I've changed it to: > > ssl_trusted_certificate /etc/nginx/ssl/cas.pem; > ssl_verify_depth 2; > > But now ssl_client_verify is always to NONE, and actually I saw in wireshark > that the client is not sending the certificate. > > What am I doing wrong? For the client certificate authentication to work, you have to configure ssl_verify_client, and ssl_client_certificate with at least one certificate (unless you are using "ssl_verify_client optional_no_ca;"). Any certificates specified in ssl_trusted_certificate will be additionally trusted, but you still have to specify at least one certificate in ssl_client_certificate. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
