id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1847	Client certificate verification failed if use Nginx with Openssl 1.1.1	isbcholding@…		"Hi, 

We use Nginx to access internal server and verify clients by corporate certificates stored on their USB tokens or smart-cards.
Now, we want to move openssl 1.1.1 to add support TLSv1.3 in Nginx. After we had compiled Nginx with the latest openssl 1.1.1, we faced that Nginx failed to verify some client certificates with 495 error. The same client certificates worked fine when Nginx was built with openssl 1.0.2.

However, verification failed certificates by openssl 1.1.1 console cmd works fine:
> openssl verify -crl_check -CRLfile crl.pem -CAfile root-ca.crt user.crt
shows
> user.crt : OK

Environment:
1) SLES12 SP4 - 
2) OpenSSL 1.1.1c
3) Nginx 1.17.3 "	defect	closed	minor		nginx-module	1.17.x	invalid			Linux xxxxx 4.12.14-94.41-default #1 SMP Wed Oct 31 12:25:04 UTC 2018 (3090901) x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.17.3
built by gcc 4.8.5 (SUSE Linux) 
built with OpenSSL 1.1.1c  28 May 2019
TLS SNI support enabled
configure arguments: --add-module=../naxsi-0.56/naxsi_src --with-http_ssl_module --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/usr/local/nginx/nginx.pid --add-module=../nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --with-http_geoip_module --with-openssl=../openssl-1.1.1c --with-http_stub_status_module --with-http_v2_module --with-http_sub_module"