NGINX not checking OCSP for revoked certificates
zeal at freecharge.com
Fri Oct 14 05:49:27 UTC 2016
I tried changing the ssl_verify_depth to 1 from value of 2 however still I
get 400 Bad Request for all the certificates ( Valid and Revoked ).
I checked the error_log file, there are no entries in that file. It all
works when I remove the ssl_crl option ( however then revoked certificates
are allowed ).
Just for bit more info, I downloaded the CRL from ADCS which is in form of
test.crl which I convert it to .pem format with openssl.
On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
> > Hi
> > We've implemented basic Certificate Based Authentication for Nginx.
> > However whenever the certificate is revoked, Nginx still allows the
> > ( with revoked certificate ) to access the website.
> > I verified manually with openssl with OCSP URI and OCSP seems to be
> > properly. Nginx doesn't seem to be forwarding request to OCSP before
> > allowing client.
> That's because nginx doesn't support OCSP validation of client
> certificates. Use CRLs instead.
> > I tried to specify the ssl_crl but as soon as I put it, all the clients
> > starts to receive 400 Bad Request.
> > Here is my sample relevant Nginx Config :-
> > ### SSL cert files ###
> > ssl_client_certificate /test/ca.crt;
> > ssl_verify_client optional;
> > ssl_crl /prod-adcs/latest.pem;
> > ssl_verify_depth 2;
> > Is there something that I'm missing here ?
> Your error log should have details. Given you are using verify
> depth set to 2, most likely there is no CRL for the root
> certificate itself, and that's why nginx complaining.
> Maxim Dounin
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx