Opened 5 years ago
#1902 new defect
Can not use ssl_trusted_certificate to verify Clients
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.17.x |
Keywords: | Cc: | ||
uname -a: | Linux dev-02 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.17.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --with-openssl=/usr/local/src/nginx/openssl-1.1.1d --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_auth_basic_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre --with-http_ssl_module --with-stream --with-stream_ssl_module |
Description
In my config, I set the following to validate client certificates
ssl_verify_client on;
ssl_trusted_certificate /usr/local/nginx/ssl/ca.crt;
ssl_crl /usr/local/nginx/ssl/crl.pem;
The server fails to start with error: nginx: [emerg] no ssl_client_certificate for ssl_verify_client
If I change the configuration to the following, the server starts.
ssl_verify_client on;
ssl_client_certificate /usr/local/nginx/ssl/ca.crt;
ssl_crl /usr/local/nginx/ssl/crl.pem;
I am not using OSCP or stapling, just verification against a CA/CRL.
Reading thru the Docs, the description for both of the options 'ssl_trusted_certificate' and 'ssl_client_certificate' are the same. "Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled." The only difference is if the list of certificates is sent to the client.