Nginx client cert verification: ssl_client_certificate vs ssl_trusted_certificate

nginxsslssl-certificate

The documentation for ssl_client_certificate says:

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.

Why is this list sent to clients? I thought the client verification process has the client send its cert (and intermediates) to the server for verification. Is this inefficient if the file this property points to is large?

On the flip side, it says to use ssl_trusted_certificate if you don't want to send the certificates to the client. If I remove ssl_client_certificate and only set ssl_trusted_certificate then nginx doesn't start since I have ssl_verify_client on;

Best Answer

As part of the TLS handshake a server will (if configured to require client authentication via X.509 certificates) send a certificate request back to the client. Part of this request is a list of CA certificates which the server trusts. A client is expected to send a client authentication certificate that chains to one of the CA certificates in this list.

If you think about it, it's pointless for the client to send a certificate if it can't be verified by the server, so it makes sense for the server to send the list of CA certificates it trusts. It would be inefficient for the client to send certificates to the server if the server doesn't trust them. This is especially true for a client which has many certificates - it would have to send them all in the hope that one is trusted by the server.

nginx generates this list from the file of certificates pointed to by ssl_client_certificate. You need to send this list or switch off ssl_verify_client.

Also note that ssl_trusted_certificate will verify client certificates, but the certificates in the file pointed to by this directive are not sent to the client as part of the TLS handshake. Instead, these CA certificates can be used for verifying OCSP responses when OCSP stapling is configured.

You can read about it in RFC 5246, section 7.4.4 and while you're there you can read about all the other gory details of the TLS handshake.

Related Topic