Opened 5 weeks ago

Closed 5 weeks ago

Last modified 5 weeks ago

#1871 closed defect (invalid)

Nginx will not accept the latter of two client certs if the subject is the same.

Reported by: johannes.gehrs.moia.io@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.17.x
Keywords: Cc:
uname -a: Linux 1f972dd0e65f 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.4 built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.4/debian/debuild-base/nginx-1.17.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Nginx will not accept the latter of two client certs if the subject is the same.

This code is supposed to demonstrate this: https://github.com/johannes-gehrs/nginx-bug-2clientcerts

Run make certs to create certificates. Run make docker to build and run a docker container which
uses the certs.

Then you can test like this:

# This will work
curl --insecure --cert ./client1.crt  --key client1.key  https://localhost:8443/index.html
# This will fail
curl --insecure --cert ./client2.crt  --key client2.key  https://localhost:8443/index.html

If you change the subj to be non-identical between both client certs in the Makefile, then both certs
will be accepted.

Our expectation would be that certificates with the same subject are both accepted.

Our concrete use case is that all certificates issued bei AWS API Gateway have the same subject. So we currently cannot do zero downtime deployments when rotating the certs.

Change History (2)

comment:1 Changed 5 weeks ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

You are using two self-signed certificates with identical subjects, and asks nginx to use both these certificates as trusted CA roots. This is not going to work, as certificate verification implies that appropriate certificate is looked up via it's issuer DN, and hence no two CAs can have identical subjects.

Instead, consider configuring appropriate root CA certificate in the ssl_client_certificate, and use client certificates signed by the root certificate in question. This is expected to work even if subject DNs are identical in the client certificates.

comment:2 Changed 5 weeks ago by johannes.gehrs.moia.io@…

thanks for the explanation.

Note: See TracTickets for help on using tickets.