NGINX not checking OCSP for revoked certificates
Zeal Vora
zeal at freecharge.com
Fri Oct 14 05:49:27 UTC 2016
Thanks Maxim.
I tried changing the ssl_verify_depth to 1 from value of 2 however still I
get 400 Bad Request for all the certificates ( Valid and Revoked ).
I checked the error_log file, there are no entries in that file. It all
works when I remove the ssl_crl option ( however then revoked certificates
are allowed ).
Just for bit more info, I downloaded the CRL from ADCS which is in form of
test.crl which I convert it to .pem format with openssl.
On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
>
> > Hi
> >
> > We've implemented basic Certificate Based Authentication for Nginx.
> >
> > However whenever the certificate is revoked, Nginx still allows the
> client
> > ( with revoked certificate ) to access the website.
> >
> > I verified manually with openssl with OCSP URI and OCSP seems to be
> working
> > properly. Nginx doesn't seem to be forwarding request to OCSP before
> > allowing client.
>
> That's because nginx doesn't support OCSP validation of client
> certificates. Use CRLs instead.
>
> > I tried to specify the ssl_crl but as soon as I put it, all the clients
> > starts to receive 400 Bad Request.
> >
> > Here is my sample relevant Nginx Config :-
> >
> >
> > ### SSL cert files ###
> >
> > ssl_client_certificate /test/ca.crt;
> > ssl_verify_client optional;
> >
> > ssl_crl /prod-adcs/latest.pem;
> > ssl_verify_depth 2;
> >
> >
> > Is there something that I'm missing here ?
>
> Your error log should have details. Given you are using verify
> depth set to 2, most likely there is no CRL for the root
> certificate itself, and that's why nginx complaining.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161014/f1d6afb7/attachment.html>
More information about the nginx
mailing list