I have set up client certificate authentication on nginx using ssl_client_certificate and it works all fine.
nginx documentation says this about ssl_client_certificate:
The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.
My goal with this config is to make browser filter out irrelevant client certificates.
I have the following configuration (only the relevant parts) and it doesn't work. Browser brings up every client certificate in the system instead of the certificates related to CAs in path-to-certs-pem. I have tried Firefox, Chrome and Edge on Windows.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache off;
ssl_verify_client optional;
ssl_client_certificate path-to-certs.pem;
ssl_verify_depth 9;
If I remove TLSv1.3 it starts working, meaning browser only shows the relevant certificates. Do I maybe need to set up something extra? Or maybe there is a known nginx issue that I'm having hard time to find?
This post implies that it is not inherently TLSv1.3 protocol problem at least.
This turned out to be a wolfSSL (v5.6.3) bug as I was testing an nginx build with wolfSSL. Rebuilding nginx with updated wolfSSL (v5.6.6) fixed the problem.