Problem of configuring client cert verification

speedfirst nginx-forum at nginx.us
Wed Aug 10 06:26:15 UTC 2011


Hey I have a config like this:

server {
   server_name foo;
   listen 10.117.0.150:3443;
   ssl_on;
   ssl_certification /opt/mycrt/nginx.crt;
   ssl_private_key /opt/mycrt/nginx.key;
   ssl_verify_client on;
   ssl_client_certificate /opt/mycrt/nginx.foo.ca.crt;

   location = /certauth {
   }
  
   location / {
       return 403;
   }
}

server {
   server_name bar;
   listen 10.117.0.150:3443;
   ssl_on;
   ssl_certification /opt/mycrt/nginx.crt;
   ssl_private_key /opt/mycrt/nginx.key;
   ssl_verify_client on;
   ssl_client_certificate /opt/mycrt/nginx.bar.ca.crt;

   location = /certauth {
   }
  
   location / {
       return 403;
   }
}

Note two server name share the same IP. If I set both server config's
client certification verify on, it works well. That is, access
https://foo:3443/certauth and https://bar:3443/certauth are both OK with
correct certificates (the first cert is signed by nginx.foo.ca.crt and
the second is signed by nginx.bar.ca.crt).

However, if I set the first server block's "ssl_verify_client" to "off"
and remove the location block for "= /certauth", both server will return
the 403 error. In other words, the disabling of  client cert verify in
"foo" also makes client cert verify in "bar" server disabled.

If I assign a new IP 10.117.0.151 to server "bar" and try with foo's
client cert verify "off" and bar's "on", it works as expected -- foo
always return the 403 error and bar can correctly return the normal
page.

I've checked and confirm my nginx' SNI is enabled and my openssl is
1.0.0c, my nginx's version is 0.9.3.


Is this expected, a bug, or I did something wrong in the config?


Thanks.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,213605,213605#msg-213605



More information about the nginx mailing list