Opened 7 months ago

Closed 7 months ago

#2154 closed defect (invalid)

old devices and "ssl_verify_ssl optional" fails with 400

Reported by: mbalikov@… Owned by:
Priority: major Milestone:
Component: documentation Version: 1.18.x
Keywords: Cc: mbalikov@…
uname -a: Linux host 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
nginx -V: # nginx -V
nginx version: nginx/1.18.0
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0l 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx/ --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --add-dynamic-module=../MODULES/ngx_devel_kit --add-dynamic-module=../MODULES/ngx_cache_purge --add-dynamic-module=../MODULES/set-misc-nginx-module --add-dynamic-module=../MODULES/njs-module/nginx --add-dynamic-module=../MODULES/memc-nginx-module --add-dynamic-module=../MODULES/lua-nginx-module --add-dynamic-module=../MODULES/redis2-nginx-module --add-dynamic-module=../MODULES/srcache-nginx-module

Description

Example configuration:

http {

ssl_client_certificate nginx_server.ca-crt;
ssl_verify_client optional;

server {

listen 443 default_server ssl;


location /private_with_cert/ {

if ($ssl_client_verify != SUCCESS) {

return 403;

}

}
location /public_without_cert/ {
}

}

}

It works perfectly with 99% of the clients, but there are at least two type ot devices that fail with 400 when requesting "public_without_cert" location.


error_log : "client SSL certificate verify error: (20:unable to get local issuer certificate) while reading client request headers"

device : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15"


error_log : "client SSL certificate verify error: (18:self signed certificate) while reading client request headers"

device : "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/13.2 Chrome/83.0.4103.106 Mobile Safari/537.36"

Change History (1)

comment:1 by Maxim Dounin, 7 months ago

Resolution: invalid
Status: newclosed

The ssl_verify_client optional; implies that a client is not required to provide a certificate, but if it does, the certificate is verified up to a trusted root certificate. If the verification fails, nginx generates the 495 error, and this is what happens in your case.

If you really want nginx to respond regardless of the certificate status, consider configuring appropriate error_page 495. Alternatively, consider configuring public pages in a separate server{} block without client certificate verification enabled.

Note: See TracTickets for help on using tickets.