Problem of configuring client cert verification
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 10 09:35:47 UTC 2011
Hello!
On Wed, Aug 10, 2011 at 02:26:15AM -0400, speedfirst wrote:
> Hey I have a config like this:
>
> server {
> server_name foo;
> listen 10.117.0.150:3443;
> ssl_on;
> ssl_certification /opt/mycrt/nginx.crt;
> ssl_private_key /opt/mycrt/nginx.key;
> ssl_verify_client on;
> ssl_client_certificate /opt/mycrt/nginx.foo.ca.crt;
>
> location = /certauth {
> }
>
> location / {
> return 403;
> }
> }
>
> server {
> server_name bar;
> listen 10.117.0.150:3443;
> ssl_on;
> ssl_certification /opt/mycrt/nginx.crt;
> ssl_private_key /opt/mycrt/nginx.key;
> ssl_verify_client on;
> ssl_client_certificate /opt/mycrt/nginx.bar.ca.crt;
>
> location = /certauth {
> }
>
> location / {
> return 403;
> }
> }
>
> Note two server name share the same IP. If I set both server config's
> client certification verify on, it works well. That is, access
> https://foo:3443/certauth and https://bar:3443/certauth are both OK with
> correct certificates (the first cert is signed by nginx.foo.ca.crt and
> the second is signed by nginx.bar.ca.crt).
>
> However, if I set the first server block's "ssl_verify_client" to "off"
> and remove the location block for "= /certauth", both server will return
> the 403 error. In other words, the disabling of client cert verify in
> "foo" also makes client cert verify in "bar" server disabled.
>
> If I assign a new IP 10.117.0.151 to server "bar" and try with foo's
> client cert verify "off" and bar's "on", it works as expected -- foo
> always return the 403 error and bar can correctly return the normal
> page.
>
> I've checked and confirm my nginx' SNI is enabled and my openssl is
> 1.0.0c, my nginx's version is 0.9.3.
>
>
> Is this expected, a bug, or I did something wrong in the config?
Try this patch:
http://mailman.nginx.org/pipermail/nginx-devel/2011-June/000985.html
Maxim Dounin
More information about the nginx
mailing list