Opened 12 years ago
Closed 9 years ago
#344 closed defect (worksforme)
SSL proxy - CRL verification error
Reported by: | Pasha Ninjah | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.3.x |
Keywords: | ssl proxy crl | Cc: | |
uname -a: | Linux ubuntu 3.5.0-27-generic #46~precise1-Ubuntu SMP Tue Mar 26 19:33:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.3.12
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_gzip_static_module --with-http_ssl_module --with-ipv6 --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_zone_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --with-http_stub_status_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=/build/buildd/nginx-1.3.12/debian/modules/nginx-echo |
Description
Hello
The configuration is pretty straightforward - the nginx server verifies clients' certificates and lets them through if they are valid. Now everything works smoothly until we add a revocation list check. After that nginx spits out '400 Bad Request' and refuses to cooperate. Here's the config:
server { listen 80; rewrite ^ https://$host$request_uri permanent; } server { listen 443 default_server ssl; server_name xx.xx.se; ssl_certificate /etc/ssl/hdca/hosts/tid.crt; ssl_certificate_key /etc/ssl/hdca/hosts/tid.key; ssl_session_cache shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; ssl_crl /etc/ssl/hdca/crl/PersonCA.crl; # ssl_trusted_certificate /etc/ssl/hdca/chain/serverchain.pem; ssl_verify_client on; ssl_client_certificate /etc/ssl/hdca/chain/personchain.pem; ssl_verify_depth 2; error_log /var/log/nginx/debug.log debug; location / { proxy_pass http://111.111.111.111:80; } }
Here's the x509 certificate details:
Certificate: Data: Version: 3 (0x2) Serial Number: 4720334111655231702 (0x4181fedd7a5e80d6) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=xxx Server CA, O=xxx, C=SE Validity Not Before: Apr 15 13:44:04 2013 GMT Not After : Apr 15 13:44:04 2015 GMT Subject: CN=xxx, O=xxx, C=SE Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) X509v3 extensions: Authority Information Access: OCSP - URI:http://xxx.xxx.se X509v3 Subject Key Identifier: 5D:B1:DE:7E:CE:74:65:8F:5A:82:51:3E:3A:A7:1D:9D:6B:44:D9:1B X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:33:3F:5C:C3:C2:EB:F5:E1:32:B6:85:A1:03:2E:75:EA:76:DA:72:BC X509v3 CRL Distribution Points: Full Name: URI:http://valid/and/working.crl X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:xx.xx.se
And this is the error message I get in the debug log:
2013/04/26 15:46:56 [info] 1695#0: *4 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: 192.168.122.1, server: xxx.xx.se, request: "GET / HTTP/1.1", host: "xxx.xx.se"
Pretty interesting that if I use RootCA CRL list (for testing purposes obviously) - nginx eats up 100% of cpu and stops answering, without logging anything of value.
A similar config works both for apache and pound so there shouldn't be a problem in the certificate. It should also be noted that the certificate is not self-signed but issued by an authority.
Thank you in advance.
When using intermediate CAs, a file with CRLs is expected to contain CRLs for all CAs. The error in question will appear if there is no CRL for some CA in the certificate chain.