ssl stapling, verification fails

Maxim Dounin mdounin at mdounin.ru
Wed Apr 29 11:34:56 UTC 2015


Hello!

On Wed, Apr 29, 2015 at 02:38:24AM -0400, drookie wrote:

> Hi.
> 
> I'm trying to get nginx 1.6.2 to authenticate users using their client
> certificates.
> 
> I'm using this configuration (besides usual SSL settings, which are proved
> to work):
> 
> ssl_stapling on;
> ssl_client_certificate /etc/nginx/certs/trusted.pem;
> ssl_verify_client optional_no_ca;
> 
> trusted.pem contains 3 CA certificates: test CA and 2 production CA (main
> and intermediate).
> To pass verification data to the application I'm using
> 
> fastcgi_param X-SSL-Verified $ssl_client_verify;
> fastcgi_param X-SSL-Certificate $ssl_client_cert;
> fastcgi_param X-SSL-IDN $ssl_client_i_dn;
> fastcgi_param X-SSL-SDN $ssl_client_s_dn;
> 
> And here comes the issue: when using test CA and test cerificate, I'm
> getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting
> X-SSL-Verified: FAILED. You can say that there's a problem in my certificate
> bunch, but I tried to verify if the production certificate is really issued
> by the CA that I think about:
> 
> openssl verify -verbose -CAfile trusted.pem rt.cert 
> rt.cert: OK
> 
> Looks like it passes the verification. trusted.pem is the same that nginx
> uses. In the same time nginx thinks that certificate doesn't pass the test.
> Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the
> only difference that I get the 400 answer, because the verification fails
> explicitely.

Try looking into the error log, it should have details at the info 
level.

Most likely, the problem is that you are trying to use 
intermediate CAs with the default value of ssl_verify_depth, see 
http://nginx.org/r/ssl_verify_depth.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list