ssl_verify_client with http

[Paul Dekkers]

Hi,

I tried to configure a https proxy that enforces the use of client
certificates. I'm not sure what's wrong, I only get either "No required
SSL certificate was sent" or "The SSL certificate error". So apparently
the client-certificate is never sent from the client, or requested by
the server. (I know the client-part is working well, because it works
with apache.)

My configuration looks like this:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 443;
        ssl on;
        ssl_certificate /usr/local/etc/nginx/server.crt;
        ssl_certificate_key /usr/local/etc/nginx/server.key;
        #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
        ssl_client_certificate /usr/local/etc/nginx/paul.crt;
        ssl_verify_client on;
        ssl_verify_depth 1;

        location / {
                #just as an example
                proxy_pass http://www.surfnet.nl/;
                proxy_set_header Host www.surfnet.nl;
        }
    }
}

I have the impression that only the certificates defined by
ssl_client_certificate should be accepted,
but well... something seems to be missing. I tried both with a server
certificate signed by the same CA as my client certificate, as with a
different one. No go.

Any clues?

Regards,
Paul