Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#1847 closed defect (invalid)

Client certificate verification failed if use Nginx with Openssl 1.1.1

Reported by: isbcholding@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.17.x
Keywords: Cc:
uname -a: Linux xxxxx 4.12.14-94.41-default #1 SMP Wed Oct 31 12:25:04 UTC 2018 (3090901) x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.3
built by gcc 4.8.5 (SUSE Linux)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --add-module=../naxsi-0.56/naxsi_src --with-http_ssl_module --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/usr/local/nginx/nginx.pid --add-module=../nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --with-http_geoip_module --with-openssl=../openssl-1.1.1c --with-http_stub_status_module --with-http_v2_module --with-http_sub_module

Description

Hi,

We use Nginx to access internal server and verify clients by corporate certificates stored on their USB tokens or smart-cards.
Now, we want to move openssl 1.1.1 to add support TLSv1.3 in Nginx. After we had compiled Nginx with the latest openssl 1.1.1, we faced that Nginx failed to verify some client certificates with 495 error. The same client certificates worked fine when Nginx was built with openssl 1.0.2.

However, verification failed certificates by openssl 1.1.1 console cmd works fine:

openssl verify -crl_check -CRLfile crl.pem -CAfile root-ca.crt user.crt

shows

user.crt : OK

Environment:
1) SLES12 SP4 -
2) OpenSSL 1.1.1c
3) Nginx 1.17.3

Change History (6)

comment:1 by Maxim Dounin, 5 years ago

When certificate verification fails, nginx logs the reason to the error log, at the info level. Check the logs, likely there is an explanation there. In particular, in the past we've seen problems due to certificate purpose checking as introduced in OpenSSL 1.1.0, see #1760.

comment:2 by isbcholding@…, 5 years ago

There is no error at all in error logs.
We have a lot of issued certificates by the same CA. Some of them failed verified by Nginx, other ones passed.
But openssl verify cli cmd passed for certificates which one failed in Nginx.

comment:3 by Maxim Dounin, 5 years ago

There is no error at all in error logs.

This means that error log in your setup is not configured to log messages at the info level. Adjust your configuration to see relevant messages.

But openssl verify cli cmd passed for certificates which one failed in Nginx.

The most obvious difference of the openssl verify command is that it doesn't use certificate purpose by default. Try with -purpose sslclient, as suggested in the ticket referenced.

comment:4 by isbcholding@…, 5 years ago

Thank you!
I've configured info logging, here the errors:

2019/09/11 11:28:29 [info] 14709#0: *10 peer closed connection in SSL handshake while SSL handshaking, client: 172.20.20.126, server: 0.0.0.0:443
2019/09/11 11:28:30 [info] 14710#0: *11 peer closed connection in SSL handshake while SSL handshaking, client: 172.20.20.126, server: 0.0.0.0:443
2019/09/11 11:28:31 [info] 14708#0: *12 peer closed connection in SSL handshake while SSL handshaking, client: 172.20.20.126, server: 0.0.0.0:443
2019/09/11 11:28:37 [info] 14707#0: *14 peer closed connection in SSL handshake while SSL handshaking, client: 172.20.20.126, server: 0.0.0.0:443
2019/09/11 11:28:37 [info] 14710#0: *13 client SSL certificate verify error: (66:EE certificate key too weak) while reading client request headers, client: 172.20.20.126, server: sale-php7.corp.isbc.ru, request: "GET /_partners/index.php HTTP/2.0", host: "sale-php7.corp.isbc.ru", referrer: "https://sale-php7.corp.isbc.ru/_index/task_my.php"
2019/09/11 11:28:37 [info] 14710#0: *13 client SSL certificate verify error: (66:EE certificate key too weak) while reading client request headers, client: 172.20.20.126, server: sale-php7.corp.isbc.ru, request: "GET /_index/task_my.php HTTP/2.0", host: "sale-php7.corp.isbc.ru"
2019/09/11 11:28:37 [info] 14710#0: *13 client SSL certificate verify error: (66:EE certificate key too weak) while reading client request headers, client: 172.20.20.126, server: sale-php7.corp.isbc.ru, request: "GET /_pay/list.php HTTP/2.0", host: "sale-php7.corp.isbc.ru", referrer: "https://sale-php7.corp.isbc.ru/_sklad/order_items.php"

Anyway, -purpose sslclient passed

openssl verify -crl_check -purpose sslclient -CRLfile crl.pem -CAfile root-ca.crt user.crt
user.crt: OK

comment:5 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

The EE certificate key too weak error suggests that keys you are trying to use are too weak. OpenSSL starting with OpenSSL 1.1.0 uses security level 1 by default, which is as follows (quoting man SSL_CTX_set_security_level):

The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
are prohibited. All export cipher suites are prohibited since they all offer
less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
using MD5 for the MAC is also prohibited.

You can instruct OpenSSL to accept keys it generally considers to be too week by using @SECLEVEL=0 in the cipher string (as set by ssl_ciphers nginx directive, see man ciphers for syntax details), though usually it is better idea to replace weak certificates with stronger ones.

Just in case, openssl verify accepts security level in the -auth_level argument, and you can replicate default certificate verification behaviour by using openssl verify -auth_level 1. No idea why -auth_level 1 isn't the default for openssl verify.

comment:6 by isbcholding@…, 5 years ago

Thank you!

Its to strange, but client certificate was created by RSA1024 but:

openssl x509 -text -noout -in user.crt

shows it as

Public-Key: (1023 bit)
Note: See TracTickets for help on using tickets.