Opened 11 years ago

Closed 9 years ago

#344 closed defect (worksforme)

SSL proxy - CRL verification error

Reported by: Pasha Ninjah Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: ssl proxy crl Cc:
uname -a: Linux ubuntu 3.5.0-27-generic #46~precise1-Ubuntu SMP Tue Mar 26 19:33:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.3.12
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/ --with-pcre-jit --with-http_gzip_static_module --with-http_ssl_module --with-ipv6 --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_zone_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --with-http_stub_status_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=/build/buildd/nginx-1.3.12/debian/modules/nginx-echo



The configuration is pretty straightforward - the nginx server verifies clients' certificates and lets them through if they are valid. Now everything works smoothly until we add a revocation list check. After that nginx spits out '400 Bad Request' and refuses to cooperate. Here's the config:

server {
        listen 80;
        rewrite ^ https://$host$request_uri permanent;

server {
        listen  443 default_server ssl;
        server_name   ;
        ssl_certificate         /etc/ssl/hdca/hosts/tid.crt;
        ssl_certificate_key     /etc/ssl/hdca/hosts/tid.key;
        ssl_session_cache       shared:SSL:10m;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers             ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
        ssl_crl                 /etc/ssl/hdca/crl/PersonCA.crl;
#       ssl_trusted_certificate /etc/ssl/hdca/chain/serverchain.pem;
        ssl_verify_client on;
        ssl_client_certificate /etc/ssl/hdca/chain/personchain.pem;
        ssl_verify_depth 2;
        error_log /var/log/nginx/debug.log debug;

        location / {

Here's the x509 certificate details:

        Version: 3 (0x2)
        Serial Number: 4720334111655231702 (0x4181fedd7a5e80d6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=xxx Server CA, O=xxx, C=SE
            Not Before: Apr 15 13:44:04 2013 GMT
            Not After : Apr 15 13:44:04 2015 GMT
        Subject: CN=xxx, O=xxx, C=SE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
       X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:

            X509v3 Subject Key Identifier: 
            X509v3 Basic Constraints: critical
            X509v3 Authority Key Identifier: 

            X509v3 CRL Distribution Points: 

                Full Name:

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 

And this is the error message I get in the debug log:

2013/04/26 15:46:56 [info] 1695#0: *4 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client:, server:, request: "GET / HTTP/1.1", host: ""

Pretty interesting that if I use RootCA CRL list (for testing purposes obviously) - nginx eats up 100% of cpu and stops answering, without logging anything of value.

A similar config works both for apache and pound so there shouldn't be a problem in the certificate. It should also be noted that the certificate is not self-signed but issued by an authority.

Thank you in advance.

Change History (1)

comment:1 by Maxim Dounin, 9 years ago

Resolution: worksforme
Status: newclosed

When using intermediate CAs, a file with CRLs is expected to contain CRLs for all CAs. The error in question will appear if there is no CRL for some CA in the certificate chain.

Note: See TracTickets for help on using tickets.