Opened 4 weeks ago
Last modified 5 days ago
#2626 new defect
cannot use mTLS on nginx via http3 protocol
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | nginx-1.27 |
| Component: | http/3 | Version: | 1.25.x |
| Keywords: | Cc: | terem42@… | |
| uname -a: | Linux terem 5.10.0-0.bpo.3-cloud-amd64 #1 SMP Debian 5.10.13-1~bpo10+1 (2021-02-11) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: openresty/1.25.3.1 (terem)
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 3.2.1 30 Jan 2024 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC' --add-module=../ngx_devel_kit-0.3.3 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt=-Wl,-rpath,/usr/share/nginx/luajit/lib --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --build=terem --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-http_xslt_module --add-module=/work/nginx_http3_build/openresty-1.25.3.1/../nginx-dav-ext-module-3.0.0 --add-module=/work/nginx_http3_build/openresty-1.25.3.1/../ngx_http_geoip2_module-3.4 --with-ipv6 --with-mail --with-mail_ssl_module --with-openssl=/work/nginx_http3_build/openresty-1.25.3.1/../openssl-3.2.1 --with-openssl-opt='-g no-weak-ssl-ciphers' --with-md5-asm --with-sha1-asm --with-stream --with-stream_ssl_module --with-threads --with-pcre-jit --with-pcre=/work/nginx_http3_build/openresty-1.25.3.1/../pcre-8.45 --with-pcre-opt=-g --with-stream --without-pcre2 --with-stream_ssl_preread_module |
||
Description (last modified by )
I cant use user certificates over HTTP3 protocol.
Whenever I enable quic protocol in nginx config, $ssl_client_verify nginx variable always shows false.
When I disable http3 and revert to http2, client authentication works without errors.
http3 protocol tests are done via Mozilla browser version 124 and Docker-built curl with http3 support, example of command line used docker run -it -v ./:/testcert --rm ymuski/curl-http3 curl -vvv -I --http3 --cert-type P12 --cert "/testcert/usercert.pfx:mypass" https://<mysite.com>
Without mTLS enabled, HTTP3 protocol works normally.
Change History (3)
comment:1 by , 4 weeks ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 weeks ago
comment:3 by , 5 days ago
| Milestone: | nginx-1.25 → nginx-1.27 |
|---|
Ticket retargeted after milestone closed
Note:
See TracTickets
for help on using tickets.
Just tried again it and it works fine for me. I use ngtcp2 client (afaik curl uses this library as well). Please see the debug log for details about client certificate issues like this: