ssl stapling, verification fails

drookie nginx-forum at
Wed Apr 29 06:38:24 UTC 2015


I'm trying to get nginx 1.6.2 to authenticate users using their client

I'm using this configuration (besides usual SSL settings, which are proved
to work):

ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;

trusted.pem contains 3 CA certificates: test CA and 2 production CA (main
and intermediate).
To pass verification data to the application I'm using

fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;

And here comes the issue: when using test CA and test cerificate, I'm
getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting
X-SSL-Verified: FAILED. You can say that there's a problem in my certificate
bunch, but I tried to verify if the production certificate is really issued
by the CA that I think about:

openssl verify -verbose -CAfile trusted.pem rt.cert 
rt.cert: OK

Looks like it passes the verification. trusted.pem is the same that nginx
uses. In the same time nginx thinks that certificate doesn't pass the test.
Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the
only difference that I get the 400 answer, because the verification fails


Posted at Nginx Forum:,258480,258480#msg-258480

More information about the nginx mailing list