400 errors after upgrading to 1.14.0
mdounin at mdounin.ru
Wed Sep 19 22:12:25 UTC 2018
On Wed, Sep 19, 2018 at 03:59:58PM -0400, kpuscas wrote:
> Our service uses 2-way ssl with our clients connecting to our systems. With
> each new client we add their intermediate and root CA chain to the
> concatenated certificates file used by ssl_client_certificate. We recently
> upgraded to 1.14.0 (and the included modules) and now some, but not all of
> our customers are unable to connect getting 400 errors. We've tried changing
> the order of the certificates in the concatenated file but that didn't help.
> It is happening across different certificate chains but not all. And all of
> them worked fine prior to the upgrade.
> Has anyone else encountered this or is there something we should be doing
> different in how we set up these certificates?
There were no recent changes in nginx related to client
certificate validation. On the other hand, there were changes in
OpenSSL - most notably, OpenSSL 1.1.0+ now by default rejects
MD5-signed certificates and/or certificates with less than
1024-bit RSA keys.
This might be the reason for problems you have with some
certificates, assuming you've upgraded not only nginx but also
switched to a newer OpenSSL library.
You may also want to take a look at nginx error logs. When nginx
returns a 400 error, it logs the reason to the error log at the
More information about the nginx