HPKP report-uri and nginx ssl_verify_client

Marcus Schopen lists at localguru.de
Sun Oct 30 20:34:26 UTC 2016 

Hi,

on a host I'd like to send HPKP reports to ssl_verify_client is set to
"optional":

 ssl_client_certificate	/etc/nginx/ssl/CA.pem;
 ssl_verify_client optional;

If HPKP policy fails (for another domain), Chrome (54.0.2840.71
(64-bit)) sends HPKP reports to that reporting host, but the post ends
with an "ERR_SSL_CLIENT_AUTH_CERT_NEEDED" error, which in my
understanding is not correct, because /hpkp-report path doesn't require
a client certificate for authentication. Chrome bug?

chrome://net-internals/#events
-----------------
322: URL_REQUEST
https://www.example.org/hpkp-report
Start Time: 2016-10-30 16:56:20.278

t=4559 [st= 0] +REQUEST_ALIVE  [dt=75]
t=4559 [st= 0]    URL_REQUEST_DELEGATE  [dt=0]
t=4559 [st= 0]   +URL_REQUEST_START_JOB  [dt=75]
                  --> load_flags = 1618 (BYPASS_CACHE | DISABLE_CACHE |
DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES)
                  --> method = "POST"
                  --> priority = "LOWEST"
                  --> upload_id = "0"
                  --> url = "https://www.example.org/hpkp-report"
t=4559 [st= 0]      URL_REQUEST_DELEGATE  [dt=0]
t=4559 [st= 0]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=4559 [st= 0]     +HTTP_STREAM_REQUEST  [dt=75]
t=4559 [st= 0]        HTTP_STREAM_REQUEST_STARTED_JOB
                      --> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                      --> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75]     -HTTP_STREAM_REQUEST
t=4634 [st=75]      URL_REQUEST_DELEGATE  [dt=0]
t=4634 [st=75]      CANCELLED
                    --> net_error = -110
(ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75]   -URL_REQUEST_START_JOB
                  --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75]    URL_REQUEST_DELEGATE  [dt=0]
t=4634 [st=75] -REQUEST_ALIVE
-----------------

If I type in https://www.example.org/hpkp-report in Chrome's address bar 
I don't get an SSL error (tested with different clients).

Ciao
Marcus

-- 
   I think we dream so we don't have to be apart so long. If we're in each
other's dreams, we can play together all night.	  -- Calvin

More information about the nginx mailing list