id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 338,ssl_verify_client optional_no_ca generates an error with expired client certificate,Emanuelis Norbutas,,"Hello, I need nginx to verify clients certificate but allow application to decide what to do if the certificate is not valid (or expired). With invalid certificate I get (and it's ok): {{{ emanuelis@emanuelis:~$ curl -v -k --cert invalid.pem https://nginx-ssl-test ... > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: nginx-ssl-test > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.2.8 < Date: Tue, 23 Apr 2013 12:56:58 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Powered-By: PHP/5.3.3 ... }}} But with expired certificate (not ok): {{{ emanuelis@emanuelis:~$ curl -v -k --cert expired.pem https://nginx-ssl-test ... > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: nginx-ssl-test > Accept: */* > < HTTP/1.1 400 Bad Request < Server: nginx/1.2.8 < Date: Tue, 23 Apr 2013 12:59:48 GMT < Content-Type: text/html < Content-Length: 230 < Connection: close < 400 The SSL certificate error

400 Bad Request

The SSL certificate error

nginx/1.2.8
* Closing connection #0 * SSLv3, TLS alert, Client hello (1): }}} error log says: {{{ 2013/04/23 15:59:48 [info] 17115#0: *15 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: , server: _, request: ""GET / HTTP/1.1"", host: """" }}} Interesting configuration lines: {{{ ssl_client_certificate signing_certificate.pem; ssl_verify_client optional_no_ca; ssl_verify_depth 2; proxy_set_header X-Client-Certificate ""serialNumber=\""$ssl_client_serial\"", subject=\""$ssl_client_s_dn\"", issuer=\""$ssl_client_i_dn\"", verify=\""$ssl_client_verify\""""; }}} ",defect,closed,minor,,nginx-module,1.2.x,invalid,ssl ssl_verify_client optional_no_ca expired certificate,em@…,Linux nginx-ssl-test 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.2.8 built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'"