Opened 7 weeks ago

Last modified 4 weeks ago

#2626 new defect

cannot use mTLS on nginx via http3 protocol

Reported by: terem42@… Owned by:
Priority: major Milestone: nginx-1.27
Component: http/3 Version: 1.25.x
Keywords: Cc: terem42@…
uname -a: Linux terem 5.10.0-0.bpo.3-cloud-amd64 #1 SMP Debian 5.10.13-1~bpo10+1 (2021-02-11) x86_64 GNU/Linux
nginx -V: nginx version: openresty/1.25.3.1 (terem)
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 3.2.1 30 Jan 2024
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC' --add-module=../ngx_devel_kit-0.3.3 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt=-Wl,-rpath,/usr/share/nginx/luajit/lib --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --build=terem --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-http_xslt_module --add-module=/work/nginx_http3_build/openresty-1.25.3.1/../nginx-dav-ext-module-3.0.0 --add-module=/work/nginx_http3_build/openresty-1.25.3.1/../ngx_http_geoip2_module-3.4 --with-ipv6 --with-mail --with-mail_ssl_module --with-openssl=/work/nginx_http3_build/openresty-1.25.3.1/../openssl-3.2.1 --with-openssl-opt='-g no-weak-ssl-ciphers' --with-md5-asm --with-sha1-asm --with-stream --with-stream_ssl_module --with-threads --with-pcre-jit --with-pcre=/work/nginx_http3_build/openresty-1.25.3.1/../pcre-8.45 --with-pcre-opt=-g --with-stream --without-pcre2 --with-stream_ssl_preread_module

Description (last modified by terem42@…)

I cant use user certificates over HTTP3 protocol.
Whenever I enable quic protocol in nginx config, $ssl_client_verify nginx variable always shows false.

When I disable http3 and revert to http2, client authentication works without errors.

http3 protocol tests are done via Mozilla browser version 124 and Docker-built curl with http3 support, example of command line used docker run -it -v ./:/testcert --rm ymuski/curl-http3 curl -vvv -I --http3 --cert-type P12 --cert "/testcert/usercert.pfx:mypass" https://<mysite.com>

Without mTLS enabled, HTTP3 protocol works normally.

Change History (3)

comment:1 by terem42@…, 7 weeks ago

Description: modified (diff)

comment:2 by Roman Arutyunyan, 6 weeks ago

Just tried again it and it works fine for me. I use ngtcp2 client (afaik curl uses this library as well). Please see the debug log for details about client certificate issues like this:

2024/04/09 20:15:57 [debug] 72045#0: *15 verify:1, error:0, depth:1, subject:"...", issuer:"..."
2024/04/09 20:15:57 [debug] 72045#0: *15 verify:1, error:0, depth:0, subject:"...", issuer:"..."

comment:3 by m.herasimovich, 4 weeks ago

Milestone: nginx-1.25nginx-1.27

Ticket retargeted after milestone closed

Note: See TracTickets for help on using tickets.