Opened 5 years ago

#1902 new defect

Can not use ssl_trusted_certificate to verify Clients

Reported by: jkman340@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: Cc:
uname -a: Linux dev-02 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --with-openssl=/usr/local/src/nginx/openssl-1.1.1d --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_auth_basic_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre --with-http_ssl_module --with-stream --with-stream_ssl_module


In my config, I set the following to validate client certificates

ssl_verify_client on;
ssl_trusted_certificate /usr/local/nginx/ssl/ca.crt;
ssl_crl /usr/local/nginx/ssl/crl.pem;

The server fails to start with error: nginx: [emerg] no ssl_client_certificate for ssl_verify_client

If I change the configuration to the following, the server starts.

ssl_verify_client on;
ssl_client_certificate /usr/local/nginx/ssl/ca.crt;
ssl_crl /usr/local/nginx/ssl/crl.pem;

I am not using OSCP or stapling, just verification against a CA/CRL.

Reading thru the Docs, the description for both of the options 'ssl_trusted_certificate' and 'ssl_client_certificate' are the same. "Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled." The only difference is if the list of certificates is sent to the client.

Change History (0)

Note: See TracTickets for help on using tickets.