certificates – Is this nginx config suitable to enforce proper authorization?


I have a website secret.example.com, which contains information which must not be disclosed to third parties. In order to protect the information, TLS client authentication was chosen. Whether or not a client is authorized depends on them possessing a client certificate which is signed by the internal CA.

The Configuration

The following snippets of the configuration file provide the client authentication:

ssl_client_certificate  /etc/ssl/nginx/secret.example.com/cert/ca.pem;
ssl_verify_client       on;

The file ca.pem contains a self-signed certificate authority, created via the following openssl command:

 openssl req -new -x509 -nodes -days 1460 -key ca.key.pem > ca.pem

Client certificates would then be signed by this root CA.

What I have tried so far

  1. Send a certificate signed by the CA – This results, as expected, in the website being displayed correctly.
  2. Send no certificate – This results in an error returned by the server, claiming no client certificate was sent.
  3. Send a self-signed certificate by a CA with the same details as the real CA – This results in the error message “The SSL certificate error”, which is not very descriptive, but still does not allow an attacker to see the confidential information.

My question

Is this configuration sufficient to enforce proper authorization? Or does an attacker have any possibility to still access the confidential information?

In order to scope the question further, the following scenarios are explicitly not in the scope of the question:

  • Vulnerabilities in nginx (however, “gotchas” in the configuration are in scope)
  • Disclosure of information through other sites (e.g. debug.example.com allowing LFI)
  • Direct attacks on the physical server
  • Attacks on the machine of a user, causing disclosure of a client certificate and private key