Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#2319 closed defect (duplicate)

"ssl_verify_client: optional" no longer forwards "FAILED" result on expired certificate

Reported by: lbodtke@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: ngx_http_ssl_module, openssl, ssl_verify_client Cc: lbodtke@…
uname -a:
nginx -V: nginx version: nginx/1.19.9

Description

When using following parameter in the module ngx_http_ssl_module

ssl_verify_client: optional

nginx used to forward the request to the backend, with
$ssl_client_verify containing "FAILED: ...".
This also matched the documentation at:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify

(same applies to optional_no_ca)

Now, this is no longer working. When the client provides an expired certificate, nginx returns a HTTP 400 Certificate Error page instead of passing the request to the backend.

The root cause for this issue seems to be a change in OpenSSL, see:
https://github.com/openssl/openssl/issues/14036

Is this change in behaviour considered a bug in nginx, or will it stay this way and is there any other workaround for this?

Versions used:
OpenSSL 1.1.1l 24 Aug 2021
nginx version: nginx/1.19.9

Change History (2)

comment:1 by Maxim Dounin, 10 months ago

Resolution: duplicate
Status: newclosed

The ssl_verify_client optional; never allowed expired certificates, and always generated error 495 on any certificate errors.

You probably mean optional_no_ca instead: indeed, if there were multiple reasons for the certificate validation to fail, nginx might not know if the certificate is expired or not, depending on the OpenSSL version and exact configuration being used. The optional_no_ca is expected to allow certificates which are not signed by a known CA, but not certificates which are otherwise invalid as long as nginx knows it. If you want nginx to continue processing of requests with such invalid certificates, consider appropriate error_page configuration (see #1386 for an example).

This is actually already outlined by myself in the OpenSSL ticket referenced in the ticket description.

Closing this as a duplicate of #338.

comment:2 by lbodtke@…, 10 months ago

Thanks for the feedback and the reference to error page solution :)

Note: See TracTickets for help on using tickets.