NGINX not checking OCSP for revoked certificates

Maxim Dounin mdounin at
Thu Oct 13 12:57:32 UTC 2016


On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:

> Hi
> We've implemented basic Certificate Based Authentication for Nginx.
> However whenever the certificate is revoked, Nginx still allows the client
> ( with revoked certificate ) to access the website.
> I verified manually with openssl with OCSP URI and OCSP seems to be working
> properly. Nginx doesn't seem to be forwarding request to OCSP before
> allowing client.

That's because nginx doesn't support OCSP validation of client 
certificates.  Use CRLs instead.

> I tried to specify the ssl_crl but as soon as I put it, all the clients
> starts to receive 400 Bad Request.
> Here is my sample relevant Nginx Config :-
>     ### SSL cert files ###
>    ssl_client_certificate /test/ca.crt;
>    ssl_verify_client   optional;
>     ssl_crl /prod-adcs/latest.pem;
>     ssl_verify_depth 2;
> Is there something that I'm missing here ?

Your error log should have details.  Given you are using verify 
depth set to 2, most likely there is no CRL for the root 
certificate itself, and that's why nginx complaining.

Maxim Dounin

More information about the nginx mailing list