#1871 closed defect (invalid)
Nginx will not accept the latter of two client certs if the subject is the same.
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.17.x |
| Keywords: | Cc: | ||
| uname -a: | Linux 1f972dd0e65f 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.17.4
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.4/debian/debuild-base/nginx-1.17.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Nginx will not accept the latter of two client certs if the subject is the same.
This code is supposed to demonstrate this: https://github.com/johannes-gehrs/nginx-bug-2clientcerts
Run make certs to create certificates. Run make docker to build and run a docker container which
uses the certs.
Then you can test like this:
# This will work curl --insecure --cert ./client1.crt --key client1.key https://localhost:8443/index.html # This will fail curl --insecure --cert ./client2.crt --key client2.key https://localhost:8443/index.html
If you change the subj to be non-identical between both client certs in the Makefile, then both certs
will be accepted.
Our expectation would be that certificates with the same subject are both accepted.
Our concrete use case is that all certificates issued bei AWS API Gateway have the same subject. So we currently cannot do zero downtime deployments when rotating the certs.
Note:
See TracTickets
for help on using tickets.
You are using two self-signed certificates with identical subjects, and asks nginx to use both these certificates as trusted CA roots. This is not going to work, as certificate verification implies that appropriate certificate is looked up via it's issuer DN, and hence no two CAs can have identical subjects.
Instead, consider configuring appropriate root CA certificate in the
ssl_client_certificate, and use client certificates signed by the root certificate in question. This is expected to work even if subject DNs are identical in the client certificates.