Opened 8 years ago

Closed 8 years ago

#1019 closed defect (duplicate)

400 Bad request error on Edge Browser

Reported by: rupeshjt@… Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.10.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.10.1
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/build/nginx-abUnII/nginx-1.10.1/debian/modules/nginx-auth-pam --add-module=/build/nginx-abUnII/nginx-1.10.1/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-abUnII/nginx-1.10.1/debian/modules/nginx-echo --add-module=/build/nginx-abUnII/nginx-1.10.1/debian/modules/nginx-upstream-fair --add-module=/build/nginx-abUnII/nginx-1.10.1/debian/modules/ngx_http_substitutions_filter_module

Description

Hi Support,

our website uses client side certs and while accessing the website on microsoft edge, we get "400 Bad Request No required SSL certificate was sent" frequently. The NGINX Version is nginx/1.10.1 and below is the code from NGINX. The website can be accessed on chrome, firefox without any issues.

server {

listen 10.70.10.108:443;
server_name g1.xyz.com;

access_log /var/log/nginx/g1_xyz_access.log;

ssl on;
ssl_certificate /etc/nginx/s1_xyz_com.crt;
ssl_certificate_key /etc/nginx/s1_xyz.com.key;
ssl_client_certificate /etc/nginx/main.crt;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_crl /etc/CA/crl/crldb.pem;
ssl_verify_client on;
ssl_verify_depth 1;
client_max_body_size 200M;

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;
keepalive_timeout 300;


ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

charset utf-8;

location / {


proxy_pass http://10.70.10.221;
proxy_connect_timeout 1800;

proxy_send_timeout 1800;
proxy_read_timeout 1800;
send_timeout 1800;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header URI $uri;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

Regards,
Rupesh...

Change History (2)

comment:1 by rupeshjt@…, 8 years ago

uname -a
Linux ip-10-70-10-108 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

comment:2 by Maxim Dounin, 8 years ago

Resolution: duplicate
Status: newclosed

Looks like a duplicate of #830. Please see 830#comment:1, to further debug this we need a debug log and a tcpdump of the corresponding connection to see what goes on here. If you are able to reproduce this issue - please reopen that ticket and add appropriate logs.

Note: See TracTickets for help on using tickets.