Opened 3 years ago
Closed 3 years ago
#2154 closed defect (invalid)
old devices and "ssl_verify_ssl optional" fails with 400
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | documentation | Version: | 1.18.x |
| Keywords: | Cc: | mbalikov@… | |
| uname -a: | Linux host 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux | ||
| nginx -V: |
# nginx -V
nginx version: nginx/1.18.0 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0l 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/opt/nginx/ --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --add-dynamic-module=../MODULES/ngx_devel_kit --add-dynamic-module=../MODULES/ngx_cache_purge --add-dynamic-module=../MODULES/set-misc-nginx-module --add-dynamic-module=../MODULES/njs-module/nginx --add-dynamic-module=../MODULES/memc-nginx-module --add-dynamic-module=../MODULES/lua-nginx-module --add-dynamic-module=../MODULES/redis2-nginx-module --add-dynamic-module=../MODULES/srcache-nginx-module |
||
Description
Example configuration:
http {
ssl_client_certificate nginx_server.ca-crt;
ssl_verify_client optional;
server {
listen 443 default_server ssl;
location /private_with_cert/ {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
}
location /public_without_cert/ {
}
}
}
It works perfectly with 99% of the clients, but there are at least two type ot devices that fail with 400 when requesting "public_without_cert" location.
error_log : "client SSL certificate verify error: (20:unable to get local issuer certificate) while reading client request headers"
device : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15"
error_log : "client SSL certificate verify error: (18:self signed certificate) while reading client request headers"
device : "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/13.2 Chrome/83.0.4103.106 Mobile Safari/537.36"
The
ssl_verify_client optional;implies that a client is not required to provide a certificate, but if it does, the certificate is verified up to a trusted root certificate. If the verification fails, nginx generates the 495 error, and this is what happens in your case.If you really want nginx to respond regardless of the certificate status, consider configuring appropriate error_page 495. Alternatively, consider configuring public pages in a separate server{} block without client certificate verification enabled.