<div dir="ltr">Oh. We have just one root CA and I downloaded the CRL file for that CA and used it in nginx. The depth is also 1. As soon as I put crl config in nginx, all request leads to HTTP 400 Bad Request .<div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 14, 2016 at 2:20 PM, Alex Samad <span dir="ltr"><<a href="mailto:alex@samad.com.au" target="_blank">alex@samad.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What I had to do was sent the depth to the number or greater than the<br>
number of ca's and I had to get all the crl's for each CA and concat<br>
into a crl file.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On 14 October 2016 at 16:49, Zeal Vora <<a href="mailto:zeal@freecharge.com">zeal@freecharge.com</a>> wrote:<br>
> Thanks Maxim.<br>
><br>
> I tried changing the ssl_verify_depth to 1 from value of 2 however still I<br>
> get 400 Bad Request for all the certificates ( Valid and Revoked ).<br>
><br>
> I checked the error_log file, there are no entries in that file. It all<br>
> works when I remove the ssl_crl option ( however then revoked certificates<br>
> are allowed ).<br>
><br>
> Just for bit more info, I downloaded the CRL from ADCS which is in form of<br>
> test.crl which I convert it to .pem format with openssl.<br>
><br>
><br>
><br>
><br>
> On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br>
>><br>
>> Hello!<br>
>><br>
>> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:<br>
>><br>
>> > Hi<br>
>> ><br>
>> > We've implemented basic Certificate Based Authentication for Nginx.<br>
>> ><br>
>> > However whenever the certificate is revoked, Nginx still allows the<br>
>> > client<br>
>> > ( with revoked certificate ) to access the website.<br>
>> ><br>
>> > I verified manually with openssl with OCSP URI and OCSP seems to be<br>
>> > working<br>
>> > properly. Nginx doesn't seem to be forwarding request to OCSP before<br>
>> > allowing client.<br>
>><br>
>> That's because nginx doesn't support OCSP validation of client<br>
>> certificates. Use CRLs instead.<br>
>><br>
>> > I tried to specify the ssl_crl but as soon as I put it, all the clients<br>
>> > starts to receive 400 Bad Request.<br>
>> ><br>
>> > Here is my sample relevant Nginx Config :-<br>
>> ><br>
>> ><br>
>> > ### SSL cert files ###<br>
>> ><br>
>> > ssl_client_certificate /test/ca.crt;<br>
>> > ssl_verify_client optional;<br>
>> ><br>
>> > ssl_crl /prod-adcs/latest.pem;<br>
>> > ssl_verify_depth 2;<br>
>> ><br>
>> ><br>
>> > Is there something that I'm missing here ?<br>
>><br>
>> Your error log should have details. Given you are using verify<br>
>> depth set to 2, most likely there is no CRL for the root<br>
>> certificate itself, and that's why nginx complaining.<br>
>><br>
>> --<br>
>> Maxim Dounin<br>
>> <a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> nginx mailing list<br>
>> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
>> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div>