NGINX not checking OCSP for revoked certificates

Alex Samad alex at samad.com.au
Fri Oct 14 08:50:35 UTC 2016


What I had to do was sent the depth to the number or greater than the
number of ca's and I had to get all the crl's for each CA and concat
into a crl file.



On 14 October 2016 at 16:49, Zeal Vora <zeal at freecharge.com> wrote:
> Thanks Maxim.
>
> I tried changing the ssl_verify_depth to 1 from value of 2 however still I
> get 400 Bad Request for all the certificates ( Valid and Revoked ).
>
> I checked the error_log file, there are no entries in that file. It all
> works when I remove the ssl_crl option ( however then revoked certificates
> are allowed ).
>
> Just for bit more info, I downloaded the CRL from ADCS which is in form of
> test.crl which I convert it to .pem format with openssl.
>
>
>
>
> On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>
>> Hello!
>>
>> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
>>
>> > Hi
>> >
>> > We've implemented basic Certificate Based Authentication for Nginx.
>> >
>> > However whenever the certificate is revoked, Nginx still allows the
>> > client
>> > ( with revoked certificate ) to access the website.
>> >
>> > I verified manually with openssl with OCSP URI and OCSP seems to be
>> > working
>> > properly. Nginx doesn't seem to be forwarding request to OCSP before
>> > allowing client.
>>
>> That's because nginx doesn't support OCSP validation of client
>> certificates.  Use CRLs instead.
>>
>> > I tried to specify the ssl_crl but as soon as I put it, all the clients
>> > starts to receive 400 Bad Request.
>> >
>> > Here is my sample relevant Nginx Config :-
>> >
>> >
>> >     ### SSL cert files ###
>> >
>> >    ssl_client_certificate /test/ca.crt;
>> >    ssl_verify_client   optional;
>> >
>> >     ssl_crl /prod-adcs/latest.pem;
>> >     ssl_verify_depth 2;
>> >
>> >
>> > Is there something that I'm missing here ?
>>
>> Your error log should have details.  Given you are using verify
>> depth set to 2, most likely there is no CRL for the root
>> certificate itself, and that's why nginx complaining.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list