Hello! On Tue, Oct 25, 2016 at 07:20:00PM -0400, WGH wrote:
> When nginx requests a client certificate with ssl_verify_client option, > and client complies, the latter sends its certificate in plain text. > > Although it's just a public part of the certificate, one can consider it > a kind of information disclosure, since user name, email, organization, > etc. is transmitted in plain text. > > According to this stackexchange question - > https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates > - it's technically possible to request client certificate after > connection is encrypted. > > Is it possible to do that in nginx? No. This process requires renegotiation, and renegotiation is explicitly rejected by nginx due to security implications it has. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
