When nginx requests a client certificate with ssl_verify_client option, and client complies, the latter sends its certificate in plain text.
Although it's just a public part of the certificate, one can consider it a kind of information disclosure, since user name, email, organization, etc. is transmitted in plain text. According to this stackexchange question - https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates - it's technically possible to request client certificate after connection is encrypted. Is it possible to do that in nginx? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270558,270558#msg-270558 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
