id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2154 "old devices and ""ssl_verify_ssl optional"" fails with 400" mbalikov@… "Example configuration: http { ssl_client_certificate nginx_server.ca-crt; ssl_verify_client optional; server { listen 443 default_server ssl; location /private_with_cert/ { if ($ssl_client_verify != SUCCESS) { return 403; } } location /public_without_cert/ { } } } It works perfectly with 99% of the clients, but there are at least two type ot devices that fail with 400 when requesting ""public_without_cert"" location. ------- error_log : ""client SSL certificate verify error: (20:unable to get local issuer certificate) while reading client request headers"" device : ""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15"" ------- error_log : ""client SSL certificate verify error: (18:self signed certificate) while reading client request headers"" device : ""Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/13.2 Chrome/83.0.4103.106 Mobile Safari/537.36"" " defect closed major documentation 1.18.x invalid mbalikov@… "Linux host 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux " "# nginx -V nginx version: nginx/1.18.0 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0l 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/opt/nginx/ --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --add-dynamic-module=../MODULES/ngx_devel_kit --add-dynamic-module=../MODULES/ngx_cache_purge --add-dynamic-module=../MODULES/set-misc-nginx-module --add-dynamic-module=../MODULES/njs-module/nginx --add-dynamic-module=../MODULES/memc-nginx-module --add-dynamic-module=../MODULES/lua-nginx-module --add-dynamic-module=../MODULES/redis2-nginx-module --add-dynamic-module=../MODULES/srcache-nginx-module "