400 Bad Request.No required SSL certificate was sent

esirenko nginx-forum at nginx.us
Thu Aug 7 13:17:45 UTC 2014


Сейчас идёт тестирование на CentOS 5.2

Установил CURL
[root at nginx-test nginx]# curl --version
curl 7.37.1 (x86_64-unknown-linux-gnu) libcurl/7.37.1
=========================================

если ssl_protocols   TSLv1 или ниже - то всё ок

то коннект есть:
==================================================================
[root at nginx-test nginx]# openssl s_client -host nginx-test -port 443
CONNECTED(00000003)
depth=1 C = RU, ST = RO, L = Rostov-on-Don, O = IT, OU = admin, CN = rootCA,
emailAddress = xxx at xxx.com
verify return:1
depth=0 C = RU, ST = RO, L = Rostov-on-Don, O = IT, OU = admin, CN =
serverCert, emailAddress = xxx at xxx.com
verify return:1
---
Certificate chain
 0
s:/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=serverCert/emailAddress=xxx at xxx.com
  
i:/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx at xxx.com
 1
s:/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx at xxx.com
  
i:/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx at xxx.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICbDCCAdUCAQEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCUlUxCzAJBgNV
BAgMAlJPMRYwFAYDVQQHDA1Sb3N0b3Ytb24tRG9uMQswCQYDVQQKDAJJVDEOMAwG
A1UECwwFYWRtaW4xDzANBgNVBAMMBnJvb3RDQTEaMBgGCSqGSIb3DQEJARYLeHh4
QHh4eC5jb20wHhcNMTQwODA3MTE0NTE1WhcNMTUwODA3MTE0NTE1WjCBgDELMAkG
A1UEBhMCUlUxCzAJBgNVBAgMAlJPMRYwFAYDVQQHDA1Sb3N0b3Ytb24tRG9uMQsw
CQYDVQQKDAJJVDEOMAwGA1UECwwFYWRtaW4xEzARBgNVBAMMCnNlcnZlckNlcnQx
GjAYBgkqhkiG9w0BCQEWC3h4eEB4eHguY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCegO3ddTQ9dm5wxMA51/6AiNnv+QWJK9bFpotI9VC7D7NtPVUzn8+Q
dbwoZ7cz7I2i8Mvy/rICMW8ugNHxxsOXwz8/E57UcN0Eo9nAst01ozqEf1xUWQFc
XwnJlJckNon1T7U7o7vWZbQ/aDwumJQeFTDvgxG0eoICW0nToQbJZQIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBAIfggJ542ulFtibbOM/DGeuoxQe1pukoD8QdqWpXHyUm
ogbh+4/L/PF23EcGVNUJBH87yhblVXmSBsDnS2IZ7YuNAuwkrzmlVnh66e5qCx+M
0pOPnJoM+scDTDZW7sK7ImVh8XsNGrcXs7bRyWPajiDRRy4i3cU8CdVmUDpu9wX4
-----END CERTIFICATE-----
subject=/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=serverCert/emailAddress=xxx at xxx.com
issuer=/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx at xxx.com
---
Acceptable client certificate CA names
/C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx at xxx.com
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2051 bytes and written 513 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
56098C9259B6B7791C769AC0923D370B31C0D001D337006698BC200E8A773D60
    Session-ID-ctx:
    Master-Key:
6ACBB550AEE71E4152924A3273CC458305F3909A7DC656B9C4AB66210A41939E1A3E349CD81ACD7C919727E3973B2156
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1407416980
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
==============================================================================


В Opera и IE также нормально работают с сайтом. Проблемы Chrome - это его
проблемы и буду писать в их саппорт если прижмёт.
Хотя пробовал и с именованым сайтом и с вызовами напрямую через IP.


но вот если ssl_protocols   TSLv1.1 или выше - то :

==============================================================================

[root at nginx-test nginx]# openssl s_client -host nginx-test -port 443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 303 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
==================================================================

Posted at Nginx Forum: http://forum.nginx.org/read.php?21,252280,252385#msg-252385



Подробная информация о списке рассылки nginx-ru