$ssl_client_sigalg

Description

The $ssl_client_sigalg variable is set when a client provides an SSL certificate during a TLS handshake. It stores the signature algorithm that was used to sign the client’s certificate. This variable is critical for applications that validate client certificates and may decide to allow or deny access based on the security level of the signing algorithm. The values for $ssl_client_sigalg can vary; common algorithms include 'sha256WithRSAEncryption', 'sha1WithRSAEncryption', and others, depending on the client’s configuration and security policies. NGINX will only set this variable in contexts where client SSL certificates are enabled, specifically in 'server' and 'location' blocks where the ssl_verify_client directive is set to 'on' or 'optional'. If no client certificate is provided, the variable will be empty. This is particularly useful for logging or debugging purposes, as it allows server administrators to see which signing algorithms are in use by clients accessing their services, and make informed decisions based on that information. Moreover, changes to client SSL configurations may alter the values generated here and should be monitored accordingly.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/client_ca.crt;
    ssl_verify_client on;

    location / {
        if ($ssl_client_sigalg = 'sha256WithRSAEncryption') {
            # Log or take action for clients using SHA256
            access_log /var/log/nginx/ssl.log;
        }
    }
}