Reputation: 21
nginx with TLS Client Authentication... Error response is not mutual authenticated?
I played around with nginx and mutual TLS authentication. For that i configured the nginx server to actually use client authentication with the config parameter:
ssl_verify_client on;
It works, but i have a question regarding the termination process.
If i do a get request to e.g. https://localhost and ssl_verify_client on; is set, i get an http response even if i don't deliver a valid client certificate:
400 Bad Request No required SSL certificate was sent
For me it would make sense that the TLS connection is terminated at the TLS handshake. Why do i get a http response, when the connection is not mutual authenticated?
I also read RFC 5246 and it basically says that it can be done this way (designers choice):
The TLS standard, however, does not specify how protocols add security with TLS; the decisions on how to initiate TLS handshaking and how to interpret the authentication certificates exchanged are left to the judgment of the designers and implementors of protocols that run on top of TLS.
Are there good arguments to do it on the application layer instead of the transport layer? Is there a possibility to terminate the TLS connection earlier without using a proxy (e.g. HAProxy)?
Upvotes: 2
Views: 850
Answers (0)
Related Questions
- Nginx config: how to use auth_basic authentication if ssl_client_certificate none provided?
- nginx client authentication with multiple client certificates
- Client authentication using self signed ssl certificate for nginx
- Mutual Authentication TLS
- Handshake failure when requesting nginx server in https protocol
- nginx client authentication with 2 intermediate CAs
- Nginx Mutual Auth for consuming Rest API
- nginx authorization based on client certificates
- Nginx Mutual Authentication
- Client authentication with HttpClient