id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1847 Client certificate verification failed if use Nginx with Openssl 1.1.1 isbcholding@… "Hi, We use Nginx to access internal server and verify clients by corporate certificates stored on their USB tokens or smart-cards. Now, we want to move openssl 1.1.1 to add support TLSv1.3 in Nginx. After we had compiled Nginx with the latest openssl 1.1.1, we faced that Nginx failed to verify some client certificates with 495 error. The same client certificates worked fine when Nginx was built with openssl 1.0.2. However, verification failed certificates by openssl 1.1.1 console cmd works fine: > openssl verify -crl_check -CRLfile crl.pem -CAfile root-ca.crt user.crt shows > user.crt : OK Environment: 1) SLES12 SP4 - 2) OpenSSL 1.1.1c 3) Nginx 1.17.3 " defect closed minor nginx-module 1.17.x invalid Linux xxxxx 4.12.14-94.41-default #1 SMP Wed Oct 31 12:25:04 UTC 2018 (3090901) x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.17.3 built by gcc 4.8.5 (SUSE Linux) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --add-module=../naxsi-0.56/naxsi_src --with-http_ssl_module --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/usr/local/nginx/nginx.pid --add-module=../nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --with-http_geoip_module --with-openssl=../openssl-1.1.1c --with-http_stub_status_module --with-http_v2_module --with-http_sub_module"