#1760 closed defect (invalid)
Client cert verification not working with Openssl 1.1.1b - working on 1.0.2r
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | other | Version: | 1.15.x |
Keywords: | openssl | Cc: | |
uname -a: | Linux ssl-modirum301.dibs.dk 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 | ||
nginx -V: |
nginx version: nginx/1.15.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.1.1b 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.1.1b/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --with-openssl-opt=enable-tls1_3 --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx |
Description
Hi guys.
If I build Nginx with OpenSSL 1.1.1b, client cert verification is not working. Always resulting in:
2019/04/02 21:18:55 [info] 29916#0: *10 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client: <masked ip>, server: <masked-hostname>, request: "POST /endpoint/jokum HTTP/1.1", host: "<masked-hostname>:4000"
nginx -V:
nginx version: nginx/1.15.10 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.1.1b 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.1.1b/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --with-openssl-opt=enable-tls1_3 --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx
Configuration:
ssl_client_certificate /etc/nginx/root.pem; ssl_verify_client on; ssl_verify_depth 3;
If I then build Nginx with OpenSSL 1.0.2r, it works fine. Same configuration on same server.
nginx -V:
nginx version: nginx/1.15.10 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2r 26 Feb 2019 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-openssl=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/openssl-1.0.2r/ --with-http_ssl_module --with-http_stub_status_module --with-debug --with-http_dav_module --with-http_v2_module --with-http_auth_request_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --with-http_realip_module --with-stream --with-stream_ssl_preread_module --with-stream_realip_module --add-module=/usr/local/development/rpmbuild/rpmbuildnginx/BUILD/ModSecurity-nginx
Attachments (2)
Change History (8)
comment:1 by , 6 years ago
comment:3 by , 6 years ago
As previously suggested, please provide example certificates which demonstrate the problem.
comment:5 by , 6 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
The problem is that the root certificate uses the X509v3 Extended Key Usage extension:
$ openssl x509 -text -noout -in root.pem Certificate: ... X509v3 Extended Key Usage: Any Extended Key Usage ...
While it is set to "Any Extended Key Usage", it doesn't include any other possible key usages. Quoting RFC 5280:
Applications that require the presence of a particular purpose MAY reject certificates that include the anyExtendedKeyUsage OID but not the particular OID expected for the application.
On the other hand, Extended Key Usage is checked by OpenSSL since 1.1.0. And OpenSSL does not permit certificates with anyExtendedKeyUsage as long as the particular OID is not specified. Note well that Extended Key Usage as set on a CA certificate also restricts all the certificates issued by this CA. As such, all certificates issued by the root certificate in question won't be trusted unless a particular key usage is not known.
The same failure can be demonstrated by using openssl verify
with -purpose sslclient
:
$ openssl version OpenSSL 1.0.2o-freebsd 27 Mar 2018 $ openssl verify -purpose sslclient -CAfile root.pem client.pem client.pem: OK
$ openssl version OpenSSL 1.1.0h 27 Mar 2018 $ openssl verify -purpose sslclient -CAfile root.pem client.pem C = EE, ST = HM, L = Tallinn, O = Scheme Inc, OU = Root CA, CN = Scheme Inc Root CA 2027 error 26 at 1 depth lookup: unsupported certificate purpose error client.pem: verification failed
$ openssl version OpenSSL 1.1.1b 26 Feb 2019 $ openssl verify -purpose sslclient -CAfile root.pem client.pem C = EE, ST = HM, L = Tallinn, O = Scheme Inc, OU = Root CA, CN = Scheme Inc Root CA 2027 error 26 at 1 depth lookup: unsupported certificate purpose error client.pem: verification failed
An obvious workaround would be to remove the X509v3 Extended Key Usage extension from the root certificate.
Further reading:
https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
There are a lot of changes between OpenSSL 1.0.2 and OpenSSL 1.1.1, and the most likely reason is that it now rejects certificates you are using. Try checking if using
openssl verify
works for you, i.e., try something like:with different versions of OpenSSL. As long as it works with OpenSSL 1.0.2, but not with OpenSSL 1.1.1, this is clearly not an nginx problem. If it works with both versions, please provide some example certificates here for us to take a look.