ssl_verify_client with http

Igor Sysoev is at rambler-co.ru
Wed Jul 11 18:27:28 MSD 2007


On Wed, Jul 11, 2007 at 04:06:21PM +0200, Paul Dekkers wrote:

> I tried to configure a https proxy that enforces the use of client
> certificates. I'm not sure what's wrong, I only get either "No required
> SSL certificate was sent" or "The SSL certificate error". So apparently
> the client-certificate is never sent from the client, or requested by
> the server. (I know the client-part is working well, because it works
> with apache.)
> 
> My configuration looks like this:
> 
> worker_processes  1;
> 
> events {
>     worker_connections  1024;
> }
> 
> http {
>     server {
>         listen 443;
>         ssl on;
>         ssl_certificate /usr/local/etc/nginx/server.crt;
>         ssl_certificate_key /usr/local/etc/nginx/server.key;
>         #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
>         ssl_client_certificate /usr/local/etc/nginx/paul.crt;
>         ssl_verify_client on;
>         ssl_verify_depth 1;
> 
>         location / {
>                 #just as an example
>                 proxy_pass http://www.surfnet.nl/;
>                 proxy_set_header Host www.surfnet.nl;
>         }
>     }
> }
> 
> I have the impression that only the certificates defined by
> ssl_client_certificate should be accepted,
> but well... something seems to be missing. I tried both with a server
> certificate signed by the same CA as my client certificate, as with a
> different one. No go.

ssl_client_certificate should point to CA certificate used to sign
client certificates.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list