NGINX not checking OCSP for revoked certificates

Zeal Vora zeal at freecharge.com
Fri Oct 14 10:02:05 UTC 2016


Oh. We have just one root CA and I downloaded the CRL file for that CA and
used it in nginx. The depth is also 1. As soon as I put crl config in
nginx, all request leads to HTTP 400 Bad Request .



On Fri, Oct 14, 2016 at 2:20 PM, Alex Samad <alex at samad.com.au> wrote:

> What I had to do was sent the depth to the number or greater than the
> number of ca's and I had to get all the crl's for each CA and concat
> into a crl file.
>
>
>
> On 14 October 2016 at 16:49, Zeal Vora <zeal at freecharge.com> wrote:
> > Thanks Maxim.
> >
> > I tried changing the ssl_verify_depth to 1 from value of 2 however still
> I
> > get 400 Bad Request for all the certificates ( Valid and Revoked ).
> >
> > I checked the error_log file, there are no entries in that file. It all
> > works when I remove the ssl_crl option ( however then revoked
> certificates
> > are allowed ).
> >
> > Just for bit more info, I downloaded the CRL from ADCS which is in form
> of
> > test.crl which I convert it to .pem format with openssl.
> >
> >
> >
> >
> > On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <mdounin at mdounin.ru>
> wrote:
> >>
> >> Hello!
> >>
> >> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
> >>
> >> > Hi
> >> >
> >> > We've implemented basic Certificate Based Authentication for Nginx.
> >> >
> >> > However whenever the certificate is revoked, Nginx still allows the
> >> > client
> >> > ( with revoked certificate ) to access the website.
> >> >
> >> > I verified manually with openssl with OCSP URI and OCSP seems to be
> >> > working
> >> > properly. Nginx doesn't seem to be forwarding request to OCSP before
> >> > allowing client.
> >>
> >> That's because nginx doesn't support OCSP validation of client
> >> certificates.  Use CRLs instead.
> >>
> >> > I tried to specify the ssl_crl but as soon as I put it, all the
> clients
> >> > starts to receive 400 Bad Request.
> >> >
> >> > Here is my sample relevant Nginx Config :-
> >> >
> >> >
> >> >     ### SSL cert files ###
> >> >
> >> >    ssl_client_certificate /test/ca.crt;
> >> >    ssl_verify_client   optional;
> >> >
> >> >     ssl_crl /prod-adcs/latest.pem;
> >> >     ssl_verify_depth 2;
> >> >
> >> >
> >> > Is there something that I'm missing here ?
> >>
> >> Your error log should have details.  Given you are using verify
> >> depth set to 2, most likely there is no CRL for the root
> >> certificate itself, and that's why nginx complaining.
> >>
> >> --
> >> Maxim Dounin
> >> http://nginx.org/
> >>
> >> _______________________________________________
> >> nginx mailing list
> >> nginx at nginx.org
> >> http://mailman.nginx.org/mailman/listinfo/nginx
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161014/3ec14c18/attachment.html>


More information about the nginx mailing list