Reputation: 3
Which client certificate auth validations are done by NGINX for auth-tls-verify-client = optional_no_ca
We have a K8S service leveraging NGINX and in some flows would like to accept client certificate authentication.
Service has a dynamic list of public trusted client certificates (PEM format), and the root CAs aren't known.
In NGINX, it seems like the best setting to use would be:
nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca
While sending the full certificate ($ssl_client_escaped_cert) to the upstream service to compare the entire public cert.
The question is whether NGINX will still perform the client cert validations during SSL handshake (and only skips CA checks), to verify the request is indeed sent by the one and only owner of the cert and its private key.
Upvotes: 0
Views: 541
Answers (1)
Reputation: 123551
It will still check in the TLS handshake that the public key in the certificate can be used to verify the signature in CertificateVerify, i.e. that the client actually owns the private key to the sent certificate.
It will not check that the certificate itself is issued by a trusted CA etc - such verification are expected to be done elsewhere.
Upvotes: 0
Related Questions
- ways of authentication with Nginx
- Nginx config: how to use auth_basic authentication if ssl_client_certificate none provided?
- How does the client verify servers certificate in SSL?
- nginx client authentication with multiple client certificates
- Client authentication using self signed ssl certificate for nginx
- Kubernetes: Does auth-tls-verify-client work independent of TLS?
- Nginx Client SSL certification validation
- Client SubjectName validation on NGINX Ingress
- Client Certificate Authentication in SSL Handshake
- Where does SSL_CTX_set_verify callback get certificates?