HPKP report-uri and nginx ssl_verify_client
Marcus Schopen
lists at localguru.de
Sun Oct 30 20:34:26 UTC 2016
Hi,
on a host I'd like to send HPKP reports to ssl_verify_client is set to
"optional":
ssl_client_certificate /etc/nginx/ssl/CA.pem;
ssl_verify_client optional;
If HPKP policy fails (for another domain), Chrome (54.0.2840.71
(64-bit)) sends HPKP reports to that reporting host, but the post ends
with an "ERR_SSL_CLIENT_AUTH_CERT_NEEDED" error, which in my
understanding is not correct, because /hpkp-report path doesn't require
a client certificate for authentication. Chrome bug?
chrome://net-internals/#events
-----------------
322: URL_REQUEST
https://www.example.org/hpkp-report
Start Time: 2016-10-30 16:56:20.278
t=4559 [st= 0] +REQUEST_ALIVE [dt=75]
t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0]
t=4559 [st= 0] +URL_REQUEST_START_JOB [dt=75]
--> load_flags = 1618 (BYPASS_CACHE | DISABLE_CACHE |
DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES)
--> method = "POST"
--> priority = "LOWEST"
--> upload_id = "0"
--> url = "https://www.example.org/hpkp-report"
t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0]
t=4559 [st= 0] HTTP_CACHE_GET_BACKEND [dt=0]
t=4559 [st= 0] +HTTP_STREAM_REQUEST [dt=75]
t=4559 [st= 0] HTTP_STREAM_REQUEST_STARTED_JOB
--> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75] -HTTP_STREAM_REQUEST
t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0]
t=4634 [st=75] CANCELLED
--> net_error = -110
(ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75] -URL_REQUEST_START_JOB
--> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0]
t=4634 [st=75] -REQUEST_ALIVE
-----------------
If I type in https://www.example.org/hpkp-report in Chrome's address bar
I don't get an SSL error (tested with different clients).
Ciao
Marcus
--
I think we dream so we don't have to be apart so long. If we're in each
other's dreams, we can play together all night. -- Calvin
More information about the nginx
mailing list