ssl_verify_client with http

Igor Sysoev is at rambler-co.ru
Wed Jul 11 19:04:35 MSD 2007 

On Wed, Jul 11, 2007 at 04:52:21PM +0200, Paul Dekkers wrote:

> Igor Sysoev wrote:
> > On Wed, Jul 11, 2007 at 04:06:21PM +0200, Paul Dekkers wrote:
> >
> >   
> >> I tried to configure a https proxy that enforces the use of client
> >> certificates. I'm not sure what's wrong, I only get either "No required
> >> SSL certificate was sent" or "The SSL certificate error". So apparently
> >> the client-certificate is never sent from the client, or requested by
> >> the server. (I know the client-part is working well, because it works
> >> with apache.)
> >>
> >> My configuration looks like this:
> >>
> >> worker_processes  1;
> >>
> >> events {
> >>     worker_connections  1024;
> >> }
> >>
> >> http {
> >>     server {
> >>         listen 443;
> >>         ssl on;
> >>         ssl_certificate /usr/local/etc/nginx/server.crt;
> >>         ssl_certificate_key /usr/local/etc/nginx/server.key;
> >>         #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
> >>         ssl_client_certificate /usr/local/etc/nginx/paul.crt;
> >>         ssl_verify_client on;
> >>         ssl_verify_depth 1;
> >>
> >>         location / {
> >>                 #just as an example
> >>                 proxy_pass http://www.surfnet.nl/;
> >>                 proxy_set_header Host www.surfnet.nl;
> >>         }
> >>     }
> >> }
> >>
> >> I have the impression that only the certificates defined by
> >> ssl_client_certificate should be accepted,
> >> but well... something seems to be missing. I tried both with a server
> >> certificate signed by the same CA as my client certificate, as with a
> >> different one. No go.
> >>     
> >
> > ssl_client_certificate should point to CA certificate used to sign
> > client certificates.
> >   
> 
> If I do that (with my ca.crt file) I get an "The SSL certificate error".
> Mind you that the ca.crt contains two certificates, because our CA is
> signed by a PCA, but it doesn't seem to work - not even if I remove one
> of the two certificates (and for instance only keep our CA that directly
> signed the certificate, instead of the PCA).

If you have two certifices in chain, then you should set:

        ssl_verify_depth 2;

What SSLVerifyDepth do you use with Apache ?

> Is there any way to debug this? If I'm not mistaken this should work,
> it's exactly as you describe it.

There should be nginx error messages in error_log at info level.
Could you see them ?

> If I have to specify the CA in ssl_client_certificate; what means are
> there to define which client-certificates are allowed? (I thought I
> could do that with a file consisting of multiple client-certificates as
> ssl_client_certificate, based on what I do with apache or stunnel for
> instance. There I can just define a file (or directory) consisting of
> the allowed client-certificates.) It's not that I want to allow everyone
> with a valid certificate in this chain access to the site...

ssl_client_certificate is analog of SSLCACertificateFile


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list