[FIXED] Which client certificate auth validations are done by NGINX for auth-tls-verify-client = optional_no_ca

Issue

We have a K8S service leveraging NGINX and in some flows would like to accept client certificate authentication.
Service has a dynamic list of public trusted client certificates (PEM format), and the root CAs aren't known.
In NGINX, it seems like the best setting to use would be:

nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca

While sending the full certificate ($ssl_client_escaped_cert) to the upstream service to compare the entire public cert.

The question is whether NGINX will still perform the client cert validations during SSL handshake (and only skips CA checks), to verify the request is indeed sent by the one and only owner of the cert and its private key.

Solution

It will still check in the TLS handshake that the public key in the certificate can be used to verify the signature in CertificateVerify, i.e. that the client actually owns the private key to the sent certificate.

It will not check that the certificate itself is issued by a trusted CA etc - such verification are expected to be done elsewhere.

Answered By - Steffen Ullrich

Answer Checked By - Gilberto Lyons (PHPFixing Admin)