Problem of configuring client cert verification

Maxim Dounin mdounin at mdounin.ru
Wed Aug 10 09:35:47 UTC 2011


Hello!

On Wed, Aug 10, 2011 at 02:26:15AM -0400, speedfirst wrote:

> Hey I have a config like this:
> 
> server {
>    server_name foo;
>    listen 10.117.0.150:3443;
>    ssl_on;
>    ssl_certification /opt/mycrt/nginx.crt;
>    ssl_private_key /opt/mycrt/nginx.key;
>    ssl_verify_client on;
>    ssl_client_certificate /opt/mycrt/nginx.foo.ca.crt;
> 
>    location = /certauth {
>    }
>   
>    location / {
>        return 403;
>    }
> }
> 
> server {
>    server_name bar;
>    listen 10.117.0.150:3443;
>    ssl_on;
>    ssl_certification /opt/mycrt/nginx.crt;
>    ssl_private_key /opt/mycrt/nginx.key;
>    ssl_verify_client on;
>    ssl_client_certificate /opt/mycrt/nginx.bar.ca.crt;
> 
>    location = /certauth {
>    }
>   
>    location / {
>        return 403;
>    }
> }
> 
> Note two server name share the same IP. If I set both server config's
> client certification verify on, it works well. That is, access
> https://foo:3443/certauth and https://bar:3443/certauth are both OK with
> correct certificates (the first cert is signed by nginx.foo.ca.crt and
> the second is signed by nginx.bar.ca.crt).
> 
> However, if I set the first server block's "ssl_verify_client" to "off"
> and remove the location block for "= /certauth", both server will return
> the 403 error. In other words, the disabling of  client cert verify in
> "foo" also makes client cert verify in "bar" server disabled.
> 
> If I assign a new IP 10.117.0.151 to server "bar" and try with foo's
> client cert verify "off" and bar's "on", it works as expected -- foo
> always return the 403 error and bar can correctly return the normal
> page.
> 
> I've checked and confirm my nginx' SNI is enabled and my openssl is
> 1.0.0c, my nginx's version is 0.9.3.
> 
> 
> Is this expected, a bug, or I did something wrong in the config?

Try this patch:

http://mailman.nginx.org/pipermail/nginx-devel/2011-June/000985.html

Maxim Dounin



More information about the nginx mailing list