I have nginx and want it to verify client certificates. So I bought commercial certificate for server, and non-commercial for clients. Basically I’ve generated client certificates with easy-rsa scripts. Connecting with client certificates validation disabled works as expected. Connecting with “ssl_verify_client on;” fails with code 400 and no information in error or access log.
nginx -V outputs:
nginx version: nginx/1.8.0 built with OpenSSL 1.0.2a 19 Mar 2015 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-imap --with-imap_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_addition_module --with-http_degradation_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_sub_module
my nginx config looks like this
server { listen my.addr.here:443 ssl; server_name my-server; ssl on; ssl_certificate /etc/nginx/ssl/my-server.crt; ssl_certificate_key /etc/nginx/ssl/my-server.key; ssl_dhparam /etc/nginx/ssl/my-server.dhparam; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_client_certificate /etc/nginx/ssl/client-ca.crt; ssl_verify_client optional; add_header X-Client-Certificate-Status $ssl_client_verify; # unrelated stuff here }
when I test by OpenSSL client execuing it like this
openssl s_client -connect my-server:443 -cert client.crt -key client.key
I receive the following output
openssl s_client -connect my-server:443 -cert client.crt -key client.key CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = my-server verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=my-server i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=my-server i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGczCCBVugAwIBAgIRAO+Wb7x6RNHrhAhvUhGKg4EwDQYJKoZIhvcNAQELBQAw ................................................................ ................................................................ /CEp3cHZNnU7JQbgq+r7R16oIONxthXGQQVjE36Bt9KS1ibpaIUThidUDCqzLYjn IOKTJM0r8DVzO2leJDTnuDayOXCji/I= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=my-server issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 7198 bytes and written 474 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 727A........................................................1F7C Session-ID-ctx: Master-Key: 0019........................................................................................3CF8 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 0c 72 58 ce 43 33 3f 3f-aa e9 e1 e2 fa 9f 67 ae .rX.C3??......g. ......................................................................... ......................................................................... 00a0 - a4 14 27 fe 80 19 56 af-2d e6 f2 65 3b 0d cd e4 ..'...V.-..e;... Start Time: 1433018240 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Please, note “No client certificate CA names sent” string which as far as I understand means nginx is not properly configured to verify client certificates.
And when I issue request like this
GET https://my-server/robots.txt HTTP/1.1 Host: my-server
I get output like this
HTTP/1.1 200 OK Server: nginx Date: Sat, 30 May 2015 20:37:38 GMT Content-Type: text/plain Content-Length: 103 Last-Modified: Sun, 12 Oct 2014 17:57:25 GMT Connection: keep-alive ETag: "543ac105-67" Expires: Sat, 30 May 2015 20:37:37 GMT Cache-Control: no-cache X-Client-Certificate-Status: NONE Accept-Ranges: bytes User-agent: * Disallow: /admin/ Host: my-server
Please note “X-Client-Certificate-Status” equals to NONE, so $ssl_client_verify was NONE, so no validation takes place.
What can be the cause of this and what can I do to debug this issue?
Answer
The reason was an error in nginx configuration, SSL options were specified twice.
Attribution
Source : Link , Question Author : adontz , Answer Author : adontz