On TLS-enabled nginx/httpd, is “ssl_verify_client optional_no_ca” disabling TLS’s “CertificateVerify” checks?


I’m looking for an helping hand with my https nginx setup. I require my application to be exposed through an nginx frontend, offloading TLS. Easy !
The thing is, I need to have Certificate-based client authentication, and my application cannot be advertising a list of CAs it accepts as it will disclose information about my clients.

As a result I am building up a solution based on the optional_no_ca parameter of nginx.

Sadly, this workflow is not discussed on the TLS RFC, and I’m willing to confirm that the CertificateVerify is still part of the verifications done by Nginx/OpenSSL .

I’m willing to do my authentication in 2 phases :
1- ClientCertificate & TLS validation – On Nginx ( to avoid replay and certificate forgery )
2- Certificate validity, CAs and CN validation on Application.

This can only be secure if the CertificateVerify is done properly on Nginx side, as it will be impossible for my application to do it, since it’s not terminating TLS itself ( and cannot ).

Would anyone have confirmations ? Or ideas on how to test this without falling down to scappy ?