id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1760 Client cert verification not working with Openssl 1.1.1b - working on 1.0.2r scaarup@… "Hi guys. If I build Nginx with OpenSSL 1.1.1b, client cert verification is not working. Always resulting in: 2019/04/02 21:18:55 [info] 29916#0: *10 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client: , server: , request: ""POST /endpoint/jokum HTTP/1.1"", host: "":4000"" nginx -V: {{{ nginx version: nginx/1.15.10 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.1.1b 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.1.1b/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --with-openssl-opt=enable-tls1_3 --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx }}} Configuration: {{{ ssl_client_certificate /etc/nginx/root.pem; ssl_verify_client on; ssl_verify_depth 3; }}} If I then build Nginx with OpenSSL 1.0.2r, it works fine. Same configuration on same server. nginx -V: {{{ nginx version: nginx/1.15.10 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2r 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.0.2r/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx }}} " defect closed major other 1.15.x invalid openssl Linux ssl-modirum301.dibs.dk 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 "nginx version: nginx/1.15.10 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.1.1b 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.1.1b/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --with-openssl-opt=enable-tls1_3 --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx"