id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version
338,ssl_verify_client optional_no_ca generates an error with expired client certificate,Emanuelis Norbutas,,"Hello,
I need nginx to verify clients certificate but allow application to decide what to do if the certificate is not valid (or expired).
With invalid certificate I get (and it's ok):
{{{
emanuelis@emanuelis:~$ curl -v -k --cert invalid.pem https://nginx-ssl-test
...
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: nginx-ssl-test
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.2.8
< Date: Tue, 23 Apr 2013 12:56:58 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.3.3
...
}}}
But with expired certificate (not ok):
{{{
emanuelis@emanuelis:~$ curl -v -k --cert expired.pem https://nginx-ssl-test
...
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: nginx-ssl-test
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.2.8
< Date: Tue, 23 Apr 2013 12:59:48 GMT
< Content-Type: text/html
< Content-Length: 230
< Connection: close
<
400 The SSL certificate error
400 Bad Request
The SSL certificate error
nginx/1.2.8
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
}}}
error log says:
{{{
2013/04/23 15:59:48 [info] 17115#0: *15 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: , server: _, request: ""GET / HTTP/1.1"", host: """"
}}}
Interesting configuration lines:
{{{
ssl_client_certificate signing_certificate.pem;
ssl_verify_client optional_no_ca;
ssl_verify_depth 2;
proxy_set_header X-Client-Certificate ""serialNumber=\""$ssl_client_serial\"", subject=\""$ssl_client_s_dn\"", issuer=\""$ssl_client_i_dn\"", verify=\""$ssl_client_verify\"""";
}}}
",defect,closed,minor,,nginx-module,1.2.x,invalid,ssl ssl_verify_client optional_no_ca expired certificate,em@…,Linux nginx-ssl-test 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.2.8
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'"