id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 830 400 Bad Request - No required SSL certificate was sent occurs randomly during a valid SSL session Jeffrey "'''What is wrong?''' Subdomains are protected with a client certificate per subdomain. It is possible to access the subdomain when you choose the right client certificate. Randomly during a session (can be after 5min, or after 2 hours) NGINX will return with a ""400 Bad Request - No required SSL certificate was sent"". I would expect either NGINX to re-request the client certificate or just continue with the previous session. '''Configuration''' We have 112 SNI based subdomains protected with client certificates like so: {{{ server { listen 443 ssl; server_name sub.domain.com; ssl_certificate /etc/nginx/ssl/certs/site.pem; ssl_certificate_key /etc/nginx/ssl/private/site.key; ssl_client_certificate /etc/nginx/ssl/certs/clientCA.crt; ssl_verify_client on; include /etc/nginx/props/ssldefault.conf; location / { include /etc/nginx/props/proxyall.conf; if ( $ssl_client_serial != 61) {return 403;} proxy_pass http://backend; } } }}} Because we have 112 subdomains we've set the following: {{{ server_names_hash_max_size 1600; }}} '''Debugging so far''' See attached debug log. Either the browser does not get informed it should send a certificate, or NGINX ignore the sent certificate, might be losing the cache '''Reproduce''' It's hard to reproduce, but the best way so far: - Use Internet Explorer 11 - Go to an URL using a client certificate - Use multiple tabs with URLs using client certificates pointing to the same NGINX instance - Refresh once in a while - The issue will occur within 1 hour (sometimes within 5 minutes) - Other tabs mostly follow shortly after. This bug does occur in other browsers as well, but might take 2 to 8 hours to reproduce." defect closed major nginx-module 1.9.x worksforme ssl client certificate Linux proxy001 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.9.5 built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody --group=nobody --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g' --add-module=./nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d/ --with-debug"