#338 closed defect (invalid)
ssl_verify_client optional_no_ca generates an error with expired client certificate
Reported by: | Emanuelis Norbutas | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.2.x |
Keywords: | ssl ssl_verify_client optional_no_ca expired certificate | Cc: | em@… |
uname -a: | Linux nginx-ssl-test 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.2.8
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g' |
Description
Hello,
I need nginx to verify clients certificate but allow application to decide what to do if the certificate is not valid (or expired).
With invalid certificate I get (and it's ok):
emanuelis@emanuelis:~$ curl -v -k --cert invalid.pem https://nginx-ssl-test ... > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: nginx-ssl-test > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.2.8 < Date: Tue, 23 Apr 2013 12:56:58 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < X-Powered-By: PHP/5.3.3 ...
But with expired certificate (not ok):
emanuelis@emanuelis:~$ curl -v -k --cert expired.pem https://nginx-ssl-test ... > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: nginx-ssl-test > Accept: */* > < HTTP/1.1 400 Bad Request < Server: nginx/1.2.8 < Date: Tue, 23 Apr 2013 12:59:48 GMT < Content-Type: text/html < Content-Length: 230 < Connection: close < <html> <head><title>400 The SSL certificate error</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <center>The SSL certificate error</center> <hr><center>nginx/1.2.8</center> </body> </html> * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
error log says:
2013/04/23 15:59:48 [info] 17115#0: *15 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: <IP>, server: _, request: "GET / HTTP/1.1", host: "<IP>"
Interesting configuration lines:
ssl_client_certificate signing_certificate.pem; ssl_verify_client optional_no_ca; ssl_verify_depth 2; proxy_set_header X-Client-Certificate "serialNumber=\"$ssl_client_serial\", subject=\"$ssl_client_s_dn\", issuer=\"$ssl_client_i_dn\", verify=\"$ssl_client_verify\"";
Change History (2)
comment:1 by , 12 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 8 years ago
sensitive: | 1 → 0 |
---|
Note:
See TracTickets
for help on using tickets.
The first sentense in your report is invalid. The "optional_no_ca" is expected to verify everything except trust to a CA, see docs. Expired certificates are expected to generate errors.