Opened 3 years ago

Closed 3 years ago

#1310 closed defect (duplicate)

SSL proxy - CRL verification error

Reported by: Renkas@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.13.x
Keywords: Cc:
uname -a: Linux d237ad392de9 4.9.31-moby #1 SMP Sat Jun 24 06:29:23 UTC 2017 x86_64 GNU/Linux
nginx -V: built with OpenSSL 1.1.0e 16 Feb 2017 (running with OpenSSL 1.1.0f 25 May 2017)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.1/debian/debuild-base/nginx-1.13.1=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

This is mostly duplicate of: https://trac.nginx.org/nginx/ticket/344

But the proposed solution does not work.

I have CRL's for all the certificates i have defined in 'ssl_client_certificate'

My certificates:
EE Certification Centre Root CA https://sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt
EID-SK 2011 https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
ESTEID-SK 2011 https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
ESTEID-SK 2015 https://sk.ee/upload/files/ESTEID-SK_2015.pem.crt

My CRL file contains of these crl's converted to PEM and concatenated:
http://www.sk.ee/crls/eeccrca/eeccrca.crl
http://www.sk.ee/repository/crls/eid2011.crl
http://www.sk.ee/repository/crls/esteid2011.crl
http://www.sk.ee/crls/esteid/esteid2015.crl

converting like that:

openssl crl -in "eeccrca.crl" -out "eeccrca.crl" -inform DER

In error_log I'm getting:
"client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers"

Error log with debug level output: https://paste.ngx.cc/de

If I'm testing my client certificate manually from command line then everything works fine (mycert.cer is cert I get from the browser and is issued by "ESTEID-SK 2015"):

openssl verify -crl_check -CAfile ca.crl mycert.cer 

Config:

server {
    listen            443 ssl;
    listen       [::]:443 ssl;

    server_name id.test.dev;

    access_log            /var/log/nginx/p443id.access.log;
    error_log             /var/log/nginx/p443id.error.log info;

    include conf/_ssl.conf;

    ssl_crl /etc/nginx/cert/crl/ca.crl;
    ssl_client_certificate /etc/nginx/cert/eid.crt;
    ssl_verify_client on;
    ssl_session_cache off;
    ssl_verify_depth 2;

    location / {

      expires -1;

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        SSL-CLIENT-VERIFY $ssl_client_verify;
      #proxy_set_header        SSL-CLIENT-CERT $ssl_client_cert;
      proxy_set_header        SSL-CLIENT-S-DN $ssl_client_s_dn;
      proxy_set_header        SSL-CLIENT-V-START $ssl_client_v_start;
      proxy_set_header        SSL-CLIENT-V-END $ssl_client_v_end;
      proxy_set_header        SSL-CLIENT-I-DN $ssl_client_i_dn;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:8088;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:8088 $host;
    }
}

Change History (2)

comment:1 by Renkas@…, 3 years ago

'conf/_ssl.conf' content is as follows. Forgot to include in original ticket:

ssl on;

ssl_dhparam               /etc/nginx/cert/dhparam.pem;
ssl_certificate           /etc/nginx/cert/nginx-selfsigned.crt;
ssl_certificate_key       /etc/nginx/cert/nginx-selfsigned.key;
ssl_session_cache         shared:SSL:10m;
ssl_session_timeout       5m;
ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

comment:2 by Maxim Dounin, 3 years ago

Resolution: duplicate
Status: newclosed

See ticket #1094 (in particular, this comment), there is a problem with the root certificate CRL.

Note: See TracTickets for help on using tickets.