id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1094	CRL check for Estonian ID cards fails	edgars.buss.optibet.lv@…		"Nginx CRL for Estonian ID card fails with error:
{{{
2016/10/04 08:02:13 [info] 7#7: *8 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: 192.168.2.133, server: site, request: ""GET / HTTP/1.1"", host: ""site""
192.168.2.133 - - [04/Oct/2016:08:02:13 +0000] ""GET / HTTP/1.1"" 400 231 ""-"" ""Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0""
}}}

Relevant config :
{{{
  listen 443 ssl;

  ssl_certificate     /etc/nginx/site.20150819.chained.crt;
  ssl_certificate_key /etc/nginx/site.20150819.nopass.key;

  ssl_verify_client on;
  ssl_verify_depth 2;

  ssl_client_certificate /etc/nginx/ee_all_20161004.pem;
  ssl_crl /etc/nginx/ee_all_20161004.crl.pem;

}}}


Here are links for certificates and CRLs;
https://sk.ee/en/repository/ 
https://sk.ee/en/repository/CRL/

I converted CRLs from DER to PEM and concated to one file in the same order as client certificate.

Nginx perfectly validates client certificate if no ssl_crl config is specified thus disabling use of CRLs. One note that combined CRL is more than 50MB in size."	defect	closed	major		nginx-core	1.11.x	worksforme			Linux nginx-source 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.11.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) 
built with OpenSSL 1.1.0b  26 Sep 2016
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.39 --with-zlib=../zlib-1.2.8 --with-http_ssl_module --with-stream --with-mail=dynamic
"