ssl_verify_client with http
Igor Sysoev
is at rambler-co.ru
Wed Jul 11 18:27:28 MSD 2007
On Wed, Jul 11, 2007 at 04:06:21PM +0200, Paul Dekkers wrote:
> I tried to configure a https proxy that enforces the use of client
> certificates. I'm not sure what's wrong, I only get either "No required
> SSL certificate was sent" or "The SSL certificate error". So apparently
> the client-certificate is never sent from the client, or requested by
> the server. (I know the client-part is working well, because it works
> with apache.)
>
> My configuration looks like this:
>
> worker_processes 1;
>
> events {
> worker_connections 1024;
> }
>
> http {
> server {
> listen 443;
> ssl on;
> ssl_certificate /usr/local/etc/nginx/server.crt;
> ssl_certificate_key /usr/local/etc/nginx/server.key;
> #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
> ssl_client_certificate /usr/local/etc/nginx/paul.crt;
> ssl_verify_client on;
> ssl_verify_depth 1;
>
> location / {
> #just as an example
> proxy_pass http://www.surfnet.nl/;
> proxy_set_header Host www.surfnet.nl;
> }
> }
> }
>
> I have the impression that only the certificates defined by
> ssl_client_certificate should be accepted,
> but well... something seems to be missing. I tried both with a server
> certificate signed by the same CA as my client certificate, as with a
> different one. No go.
ssl_client_certificate should point to CA certificate used to sign
client certificates.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list