ssl_verify_client with http

Paul Dekkers Paul.Dekkers at surfnet.nl
Wed Jul 11 23:01:02 MSD 2007


Igor Sysoev wrote:
> On Wed, Jul 11, 2007 at 04:52:21PM +0200, Paul Dekkers wrote
>> Igor Sysoev wrote:
>>     
>>> On Wed, Jul 11, 2007 at 04:06:21PM +0200, Paul Dekkers wrote:
>>>
>>>   
>>>       
>>>> I tried to configure a https proxy that enforces the use of client
>>>> certificates. I'm not sure what's wrong, I only get either "No required
>>>> SSL certificate was sent" or "The SSL certificate error". So apparently
>>>> the client-certificate is never sent from the client, or requested by
>>>> the server. (I know the client-part is working well, because it works
>>>> with apache.)
>>>>
>>>> My configuration looks like this:
>>>>
>>>> worker_processes  1;
>>>>
>>>> events {
>>>>     worker_connections  1024;
>>>> }
>>>>
>>>> http {
>>>>     server {
>>>>         listen 443;
>>>>         ssl on;
>>>>         ssl_certificate /usr/local/etc/nginx/server.crt;
>>>>         ssl_certificate_key /usr/local/etc/nginx/server.key;
>>>>         #ssl_client_certificate /usr/local/etc/nginx/ca.crt;
>>>>         ssl_client_certificate /usr/local/etc/nginx/paul.crt;
>>>>         ssl_verify_client on;
>>>>         ssl_verify_depth 1;
>>>>
>>>>         location / {
>>>>                 #just as an example
>>>>                 proxy_pass http://www.surfnet.nl/;
>>>>                 proxy_set_header Host www.surfnet.nl;
>>>>         }
>>>>     }
>>>> }
>>>>
>>>> I have the impression that only the certificates defined by
>>>> ssl_client_certificate should be accepted,
>>>> but well... something seems to be missing. I tried both with a server
>>>> certificate signed by the same CA as my client certificate, as with a
>>>> different one. No go.
>>>>     
>>>>         
>>> ssl_client_certificate should point to CA certificate used to sign
>>> client certificates.
>>>   
>>>       
>> If I do that (with my ca.crt file) I get an "The SSL certificate error".
>> Mind you that the ca.crt contains two certificates, because our CA is
>> signed by a PCA, but it doesn't seem to work - not even if I remove one
>> of the two certificates (and for instance only keep our CA that directly
>> signed the certificate, instead of the PCA).
>>     
>
> If you have two certifices in chain, then you should set:
>
>         ssl_verify_depth 2;
>
> What SSLVerifyDepth do you use with Apache ?
>   

Hmm. Funny enough that's "SSLVerifyDepth 10". Erm. And now I changed
this, and put in the original ca.crt containing two certificates, it
seems to work! Also with ssl_verify_depth 2; I thought I tried, also
with ca.crt, apparently I did not check this combination. Sorry for that.

But then there's one more thing: how can I limit the client-certificates
that are accepted? In stunnel I arranged this by putting the
certificates in a directory as CA certs, like:
 CAfile = /usr/local/etc/stunnel/chroot/ssl.crt/ca.crt
 CApath = /usr/local/etc/stunnel/chroot/trusted.current/
along with a validation depth of 3... I tried a similar thing (put the
client certificate in the ca.crt file) but apparently that doesn't work.
(In apache I used the SSLRequire field instead, with a long equation
containing SSL_CLIENT_S_DN_OU and SSL_CLIENT_M_SERIAL and so forth...
Not very scalable, but that worked too.)

As an alternative, I tried playing with an if statement and
ssl_client_serial, but it seems inefficient (or more complex) to verify
multiple serial numbers here, and proxypass is apparently not allowed in
an if statement... so I couldn't get this working anyway. (There is no
variable to verify the certificate DN, is there?)

Thanks for your help,

Paul






More information about the nginx mailing list