NGINX not checking OCSP for revoked certificates
mdounin at mdounin.ru
Thu Oct 13 12:57:32 UTC 2016
On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
> We've implemented basic Certificate Based Authentication for Nginx.
> However whenever the certificate is revoked, Nginx still allows the client
> ( with revoked certificate ) to access the website.
> I verified manually with openssl with OCSP URI and OCSP seems to be working
> properly. Nginx doesn't seem to be forwarding request to OCSP before
> allowing client.
That's because nginx doesn't support OCSP validation of client
certificates. Use CRLs instead.
> I tried to specify the ssl_crl but as soon as I put it, all the clients
> starts to receive 400 Bad Request.
> Here is my sample relevant Nginx Config :-
> ### SSL cert files ###
> ssl_client_certificate /test/ca.crt;
> ssl_verify_client optional;
> ssl_crl /prod-adcs/latest.pem;
> ssl_verify_depth 2;
> Is there something that I'm missing here ?
Your error log should have details. Given you are using verify
depth set to 2, most likely there is no CRL for the root
certificate itself, and that's why nginx complaining.
More information about the nginx