Hi all, I have an Nginx 1.7.6 server serving HTTPS content, and I've been tweaking the configuration lately to ensure it is secure and performant[1].
One component of this is ensuring that the intermediate certificate from my CA is sent along to any clients connecting to my server, to ensure they don't have to fetch it from somewhere else and risk at best a longer connection time, and at worst some sort of (unlikely) tampering. The traditional way to do this, as far as I'm aware, is to concatenate any intermediate certs, as well as the actual certificate for your domain, into one file, and then tell Nginx about it using the ssl_client_certificate directive. This works great, but I wanted to see if there was a way to keep the different certificates in different files, just for clarity and ease of maintenance. I put the intermediate cert in another file and told Nginx about it with the ssl_trusted_certificate directive, and everything worked great! However, the docs[2] for ssl_trusted_certificate specifically state the following: In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients. This seems to be at odds with what I'm experiencing. At first I thought it was possible that the certificate was sent because I had ssl_stapling set to on, to ensure OCSP responses are also included, but turning that option off still sends the intermediate cert when new connections are being initialized. Only removing the ssl_trusted_certificate line from my config causes the SSL Test to show that not all intermediate certs are sent. A nearly un-modified copy of my configs can be found on Github[3], and I would very much like to know if my configuration is working because I am misunderstanding something (by far the most likely), because the docs are wrong, because there is a bug in Nginx, or something else. Thanks, Julian [1] Mostly by following the SSL Labs Server Test https://www.ssllabs.com/ssltest/index.html [2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate [3] https://github.com/orangejulius/https-on-nginx/blob/master/ssl.conf and https://github.com/orangejulius/https-on-nginx/blob/master/example-site.conf
signature.asc
Description: Digital signature
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
