Opened 14 months ago
Closed 14 months ago
Last modified 14 months ago
#2319 closed defect (duplicate)
"ssl_verify_client: optional" no longer forwards "FAILED" result on expired certificate
|Reported by:||Owned by:|
|Keywords:||ngx_http_ssl_module, openssl, ssl_verify_client||Cc:||lbodtke@…|
|nginx -V:||nginx version: nginx/1.19.9|
When using following parameter in the module ngx_http_ssl_module
nginx used to forward the request to the backend, with
$ssl_client_verify containing "FAILED: ...".
This also matched the documentation at:
(same applies to optional_no_ca)
Now, this is no longer working. When the client provides an expired certificate, nginx returns a HTTP 400 Certificate Error page instead of passing the request to the backend.
The root cause for this issue seems to be a change in OpenSSL, see:
Is this change in behaviour considered a bug in nginx, or will it stay this way and is there any other workaround for this?
OpenSSL 1.1.1l 24 Aug 2021
nginx version: nginx/1.19.9
Change History (2)
comment:1 by , 14 months ago
|Status:||new → closed|
comment:2 by , 14 months ago
Thanks for the feedback and the reference to error page solution :)
ssl_verify_client optional;never allowed expired certificates, and always generated error 495 on any certificate errors.
You probably mean
optional_no_cainstead: indeed, if there were multiple reasons for the certificate validation to fail, nginx might not know if the certificate is expired or not, depending on the OpenSSL version and exact configuration being used. The
optional_no_cais expected to allow certificates which are not signed by a known CA, but not certificates which are otherwise invalid as long as nginx knows it. If you want nginx to continue processing of requests with such invalid certificates, consider appropriate error_page configuration (see #1386 for an example).
This is actually already outlined by myself in the OpenSSL ticket referenced in the ticket description.
Closing this as a duplicate of #338.