400 errors after upgrading to 1.14.0

Maxim Dounin mdounin at mdounin.ru
Wed Sep 19 22:12:25 UTC 2018


On Wed, Sep 19, 2018 at 03:59:58PM -0400, kpuscas wrote:

> Our service uses 2-way ssl with our clients connecting to our systems. With
> each new client we add their intermediate and root CA chain to the
> concatenated certificates file used by ssl_client_certificate. We recently
> upgraded to 1.14.0  (and the included modules) and now some, but not all of
> our customers are unable to connect getting 400 errors. We've tried changing
> the order of the certificates in the concatenated file but that didn't help.
> It is happening across different certificate chains but not all. And all of
> them worked fine prior to the upgrade.  
> Has anyone else encountered this or is there something we should be doing
> different in how we set up these certificates?

There were no recent changes in nginx related to client 
certificate validation.  On the other hand, there were changes in 
OpenSSL - most notably, OpenSSL 1.1.0+ now by default rejects 
MD5-signed certificates and/or certificates with less than 
1024-bit RSA keys.

This might be the reason for problems you have with some 
certificates, assuming you've upgraded not only nginx but also 
switched to a newer OpenSSL library.

You may also want to take a look at nginx error logs.  When nginx 
returns a 400 error, it logs the reason to the error log at the 
"info" level.

Maxim Dounin

More information about the nginx mailing list