Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#338 closed defect (invalid)

ssl_verify_client optional_no_ca generates an error with expired client certificate

Reported by: Emanuelis Norbutas Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.2.x
Keywords: ssl ssl_verify_client optional_no_ca expired certificate Cc: em@…
uname -a: Linux nginx-ssl-test 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.8
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'

Description

Hello,

I need nginx to verify clients certificate but allow application to decide what to do if the certificate is not valid (or expired).

With invalid certificate I get (and it's ok):

emanuelis@emanuelis:~$ curl -v -k --cert invalid.pem https://nginx-ssl-test
...
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: nginx-ssl-test
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.2.8
< Date: Tue, 23 Apr 2013 12:56:58 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.3.3
...

But with expired certificate (not ok):

emanuelis@emanuelis:~$ curl -v -k --cert expired.pem https://nginx-ssl-test
...
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: nginx-ssl-test
> Accept: */*
> 
< HTTP/1.1 400 Bad Request
< Server: nginx/1.2.8
< Date: Tue, 23 Apr 2013 12:59:48 GMT
< Content-Type: text/html
< Content-Length: 230
< Connection: close
< 
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.2.8</center>
</body>
</html>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

error log says:

2013/04/23 15:59:48 [info] 17115#0: *15 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: <IP>, server: _, request: "GET / HTTP/1.1", host: "<IP>"

Interesting configuration lines:

ssl_client_certificate signing_certificate.pem;
ssl_verify_client optional_no_ca;
ssl_verify_depth 2;
proxy_set_header X-Client-Certificate "serialNumber=\"$ssl_client_serial\", subject=\"$ssl_client_s_dn\", issuer=\"$ssl_client_i_dn\", verify=\"$ssl_client_verify\"";

Change History (2)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

The first sentense in your report is invalid. The "optional_no_ca" is expected to verify everything except trust to a CA, see docs. Expired certificates are expected to generate errors.

Last edited 7 years ago by Maxim Dounin (previous) (diff)

comment:2 by Maxim Dounin, 3 years ago

sensitive: 10
Note: See TracTickets for help on using tickets.