Problem with Client SSL certificates

cyberchriss nginx-forum at nginx.us
Fri Feb 10 09:33:14 UTC 2012 

I tried to configure nginx with client certificates, but only get 400
Bad Request (No required SSL certificate was sent)

Here is my Setup:
Nginx 0.7.65 on Ubuntu 10.4.3 with php5-fmp 5.3.2-1

I set up a vhost configuration for testing these client certificates:

 server {
                listen 443;
                ssl on;
                ssl_session_timeout  30m;
                server_name test.myserver.lan;
                error_log /var/log/nginx/debug.log debug;
                                
                ssl_certificate      /etc/nginx/certs/server.crt;
                ssl_certificate_key  /etc/nginx/certs/server.key;

                ssl_client_certificate /etc/nginx/certs/ca.crt;
                ssl_verify_client on;

                location / {
                        root            /var/www/test;
                        fastcgi_pass   unix:/tmp/php.sock;
                        fastcgi_param  SCRIPT_FILENAME
/var/www/test/test.php;
                        fastcgi_param  VERIFIED $ssl_client_verify;
                        fastcgi_param  DN $ssl_client_s_dn;
                        include fastcgi_params;
                        }
                }

For testing I generated a selfsigned server key and server cert. Later
in production this server certificate should be changed to a trusted
certificate from an official CA-Authority.  This part is working fine.

The Problem began with the client certificates.
Here are the steps I did:
1. Generate a root ca (only for the client certificates)
> openssl genrsa -des3 -out ca.key 4096
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2. Generate the self signed client certificate
>openssl genrsa -des3 -out client.key 4096
>openssl req -new -key client.key -out client.csr
>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out client.crt

3. Convert to PKCS
>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out
client.p12

4.Import the client.p12 to Firefox
I got 400 Bad Request (No required SSL certificate was sent)

Serverlog says:
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL handshake handler: 0
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL: TLSv1, cipher:
"DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: 434
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 http request line: "GET /
HTTP/1.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http uri: "/"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http args: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http exten: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request header
line
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Host:
test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101
Firefox/7.0.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
"Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
"Accept-Encoding: gzip, deflate"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Connection:
keep-alive"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cookie:
PHPSESSID=5nn4bei3plftd5r12790kk12n1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cache-Control:
max-age=0"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header done
2012/02/10 10:13:23 [info] 30297#0: *8819 client sent no required SSL
certificate while reading client request headers, client: 150.102.1.193,
server: test.myserver.lan, request: "GET / HTTP/1.1", host:
"test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http finalize request: 496,
"/?" 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 event timer del: 12:
1720368829
2012/02/10 10:13:23 [debug] 30297#0: *8819 http special response: 496,
"/?"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http set discard body
2012/02/10 10:13:23 [debug] 30297#0: *8819 HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Date: Fri, 10 Feb 2012 09:13:23 GMT
Content-Type: text/html
Content-Length: 253
Connection: close



To see a little more output from client side:

>curl -v -s -k https://test.myserver.lan

* About to connect() to port 443 (#0)
*   Trying 150.102.5.20... connected
* Connected to test.myserver.lan (150.102.5.20) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: C=DE; ST=RLP; L=MyCity; O=My company; OU=My Company;
CN=test.myserver.lan; emailAddress=admin at myserver.lan
*        start date: 2012-02-06 10:15:29 GMT
*        expire date: 2013-02-05 10:15:29 GMT
*        common name: test.myserver.lan 
*        issuer: C=DE; ST=RLP; L=MyCity; O=My Company; OU=My Company;
CN=test.myserver.lan; emailAddress=admin at myserver.lan
*        SSL certificate verify result: self signed certificate (18),
continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: test.myserver.lan
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/0.7.65
< Date: Fri, 10 Feb 2012 09:19:00 GMT
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/0.7.65</center>
</body>
</html>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

When I interprete the log files right, there is only a SSL handshake for
the server cert authentication?!?!?
Has anybody a hint where is the mistake?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,222213,222213#msg-222213

More information about the nginx mailing list