When nginx requests a client certificate with ssl_verify_client option,
and client complies, the latter sends its certificate in plain text.
Although it's just a public part of the certificate, one can consider it
a kind of information disclosure, since user name, email, organization,
etc. is transmitted in plain text.
According to this stackexchange question -
https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
- it's technically possible to request client certificate after
connection is encrypted.
Is it possible to do that in nginx?
and client complies, the latter sends its certificate in plain text.
Although it's just a public part of the certificate, one can consider it
a kind of information disclosure, since user name, email, organization,
etc. is transmitted in plain text.
According to this stackexchange question -
https://security.stackexchange.com/questions/80177/protecting-information-in-tls-client-certificates
- it's technically possible to request client certificate after
connection is encrypted.
Is it possible to do that in nginx?