Client Authentication Problem when access from android phone

Maxim Dounin mdounin at mdounin.ru
Fri Jan 8 17:05:18 UTC 2016


Hello!

On Fri, Jan 08, 2016 at 03:33:56AM -0500, atsushi2550 wrote:

> Hi there,
> 
> I'm trying to set up reverse proxy server with client authentication.
> 
> --- Environment  ---
> My CA is 2 tier.
> Root CA - intermediate CA - Client Certificate.
> 
> --- Problem Discripton ---
> When I accessed proxy server from laptop pc, 
> only the correct client certificate was suggested,
> and authenticate successfully.
> 
> But when I accessed proxy server from android phone, 
> ALL installed client certificate was suggested,
> and if I choose *wrong client certificate authenticate successfully.
> 
> *wrong client certificate : certificate that Root CA is same but
> intermediate CA is different,

It's not possible to limit client authentication to only allow 
certs issued by an intermediate CA.  All certificates which can be 
verified up to the trusted root CA are allowed.

If you need to additionally limit access to only allow certain 
certs, you can do so based on variables provided by the SSL 
module, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

Something like 

    if ($ssl_client_i_dn != "...") {
        return 403;
    }

should be appropriate in your case.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list