ssl_verify_client with http

Paul Dekkers Paul.Dekkers at surfnet.nl
Wed Jul 11 18:52:21 MSD 2007


Hi Igor,

Igor Sysoev wrote:
> On Wed, Jul 11, 2007 at 04:06:21PM +0200, Paul Dekkers wrote:
>
>   
>> I tried to configure a https proxy that enforces the use of client
>> certificates. I'm not sure what's wrong, I only get either "No required
>> SSL certificate was sent" or "The SSL certificate error". So apparently
>> the client-certificate is never sent from the client, or requested by
>> the server. (I know the client-part is working well, because it works
>> with apache.)
>>
>> My configuration looks like this:
>>
>> worker_processes  1;
>>
>> events {
>>     worker_connections  1024;
>> }
>>
>> http {
>>     server {
>>         listen 443;
>>         ssl on;
>>         ssl_certificate /usr/local/etc/nginx/server.crt;
>>         ssl_certificate_key /usr/local/etc/nginx/server.key;
>>         #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
>>         ssl_client_certificate /usr/local/etc/nginx/paul.crt;
>>         ssl_verify_client on;
>>         ssl_verify_depth 1;
>>
>>         location / {
>>                 #just as an example
>>                 proxy_pass http://www.surfnet.nl/;
>>                 proxy_set_header Host www.surfnet.nl;
>>         }
>>     }
>> }
>>
>> I have the impression that only the certificates defined by
>> ssl_client_certificate should be accepted,
>> but well... something seems to be missing. I tried both with a server
>> certificate signed by the same CA as my client certificate, as with a
>> different one. No go.
>>     
>
> ssl_client_certificate should point to CA certificate used to sign
> client certificates.
>   

If I do that (with my ca.crt file) I get an "The SSL certificate error".
Mind you that the ca.crt contains two certificates, because our CA is
signed by a PCA, but it doesn't seem to work - not even if I remove one
of the two certificates (and for instance only keep our CA that directly
signed the certificate, instead of the PCA).

Is there any way to debug this? If I'm not mistaken this should work,
it's exactly as you describe it.

If I have to specify the CA in ssl_client_certificate; what means are
there to define which client-certificates are allowed? (I thought I
could do that with a file consisting of multiple client-certificates as
ssl_client_certificate, based on what I do with apache or stunnel for
instance. There I can just define a file (or directory) consisting of
the allowed client-certificates.) It's not that I want to allow everyone
with a valid certificate in this chain access to the site...

Thanks for your help,

Regards,
Paul






More information about the nginx mailing list