0

I have a web service to be used with or without SSL client certificate. The users will get full access only when their browser is authentificated with the certificate. Otherwise they get a basic functionality.

The nginx settings for that are:

ssl_client_certificate /etc/nginx/client-cert/ca.crt;
ssl_verify_client optional;

The problem is that no browser prompts for the certificate to be selected when connecting to the service.

What is the behavior i should expect when ssl_verify_client is optional? Should i still get the prompt?

If it is, where might be the problem?

If not prompting is the expected behavior, how would i force the browser to send that particular certificate to the service?

Running nginx 1.10.3 on Ubuntu 16.04.4 LTS

nginx config: https://pastebin.com/GwjVc0cZ

tilkov
  • 243
  • 2
  • 6

1 Answers1

3

From the perspective of the client (i.e. browser) there is no difference between an optional client certificate or a required one: in both cases the server will request the certificate and only at the server side it will be determined if a client which did not send a certificate will be accepted or not.

My guess is that your client has no certificate from any of the CA you have specified inside /etc/nginx/client-cert/ca.crt. This file is used to build the list of acceptable CA's which is sent to the client. If none of the installed client certificates in the browser matches any of these CA no prompt will be given (since there is nothing to choose from) and no client certificate will be send.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • I believe @Steffen is right. Adding more context: https://serverfault.com/questions/761280/nginx-does-not-prompt-for-client-ssl-certificate/764509#764509 – Luca Gibelli Apr 30 '18 at 15:12