ssl stapling, verification fails
drookie
nginx-forum at nginx.us
Wed Apr 29 06:38:24 UTC 2015
Hi.
I'm trying to get nginx 1.6.2 to authenticate users using their client
certificates.
I'm using this configuration (besides usual SSL settings, which are proved
to work):
ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;
trusted.pem contains 3 CA certificates: test CA and 2 production CA (main
and intermediate).
To pass verification data to the application I'm using
fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;
And here comes the issue: when using test CA and test cerificate, I'm
getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting
X-SSL-Verified: FAILED. You can say that there's a problem in my certificate
bunch, but I tried to verify if the production certificate is really issued
by the CA that I think about:
openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK
Looks like it passes the verification. trusted.pem is the same that nginx
uses. In the same time nginx thinks that certificate doesn't pass the test.
Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the
only difference that I get the 400 answer, because the verification fails
explicitely.
Thanks.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,258480,258480#msg-258480
More information about the nginx
mailing list