Opened 12 years ago
Closed 10 years ago
#344 closed defect (worksforme)
SSL proxy - CRL verification error
| Reported by: | Pasha Ninjah | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.3.x |
| Keywords: | ssl proxy crl | Cc: | |
| uname -a: | Linux ubuntu 3.5.0-27-generic #46~precise1-Ubuntu SMP Tue Mar 26 19:33:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.3.12
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_gzip_static_module --with-http_ssl_module --with-ipv6 --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_zone_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --with-http_stub_status_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=/build/buildd/nginx-1.3.12/debian/modules/nginx-echo |
||
Description
Hello
The configuration is pretty straightforward - the nginx server verifies clients' certificates and lets them through if they are valid. Now everything works smoothly until we add a revocation list check. After that nginx spits out '400 Bad Request' and refuses to cooperate. Here's the config:
server {
listen 80;
rewrite ^ https://$host$request_uri permanent;
}
server {
listen 443 default_server ssl;
server_name xx.xx.se;
ssl_certificate /etc/ssl/hdca/hosts/tid.crt;
ssl_certificate_key /etc/ssl/hdca/hosts/tid.key;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_crl /etc/ssl/hdca/crl/PersonCA.crl;
# ssl_trusted_certificate /etc/ssl/hdca/chain/serverchain.pem;
ssl_verify_client on;
ssl_client_certificate /etc/ssl/hdca/chain/personchain.pem;
ssl_verify_depth 2;
error_log /var/log/nginx/debug.log debug;
location / {
proxy_pass http://111.111.111.111:80;
}
}
Here's the x509 certificate details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4720334111655231702 (0x4181fedd7a5e80d6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=xxx Server CA, O=xxx, C=SE
Validity
Not Before: Apr 15 13:44:04 2013 GMT
Not After : Apr 15 13:44:04 2015 GMT
Subject: CN=xxx, O=xxx, C=SE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://xxx.xxx.se
X509v3 Subject Key Identifier:
5D:B1:DE:7E:CE:74:65:8F:5A:82:51:3E:3A:A7:1D:9D:6B:44:D9:1B
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:33:3F:5C:C3:C2:EB:F5:E1:32:B6:85:A1:03:2E:75:EA:76:DA:72:BC
X509v3 CRL Distribution Points:
Full Name:
URI:http://valid/and/working.crl
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:xx.xx.se
And this is the error message I get in the debug log:
2013/04/26 15:46:56 [info] 1695#0: *4 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: 192.168.122.1, server: xxx.xx.se, request: "GET / HTTP/1.1", host: "xxx.xx.se"
Pretty interesting that if I use RootCA CRL list (for testing purposes obviously) - nginx eats up 100% of cpu and stops answering, without logging anything of value.
A similar config works both for apache and pound so there shouldn't be a problem in the certificate. It should also be noted that the certificate is not self-signed but issued by an authority.
Thank you in advance.
When using intermediate CAs, a file with CRLs is expected to contain CRLs for all CAs. The error in question will appear if there is no CRL for some CA in the certificate chain.