how to force/send TLS Certificate Request for all client connections, in client-side ssl-verification?

PGNet Dev pgnet.dev at gmail.com
Wed Jul 3 03:53:37 UTC 2019 

I've setup my nginx server with self-signed SSL server-side certs, using my own/local CA.

Without client-side verifications, i.e. just an unverified-TLS connection, all's good.

If I enable client-side SSL cert verification with,

	ssl_certificate           "ssl/example.com.server.crt.pem";
	ssl_certificate_key       "ssl/example.com.server.key.pem";
	ssl_verify_client on;
	ssl_client_certificate    "ssl_cert_dir/CA_intermediate.crt.pem";
	ssl_verify_depth 2;

, a connecting android app is failing on connect, receiving FROM the nginx server,

	HTTP RESPONSE:
	Response{protocol=http/1.1, code=400, message=Bad Request, url=https://proxy.example.com/dav/myuser%40example.com/3d75dc22-8afc-1946-5b3f-4d84e9b28432/}
	<html>
	<head><title>400 No required SSL certificate was sent</title></head>
	<body>
	<center><h1>400 Bad Request</h1></center>
	<center>No required SSL certificate was sent</center>
	<hr><center>nginx</center>
	</body>
	</html>

I've been unsuccessful so far using tshark/ssldump to decrypt the SSL handshake; I suspect (?) it's because my certs are ec signed.  Still working on that ...

In 'debug' level nginx logs, I see

	2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'35:5'
	2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'2F:/'
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http uri: "/dav/myuser at example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http args: ""
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http exten: ""
	2019/06/30 21:58:14 [debug] 41777#41777: *7 posix_memalign: 0000558C35B3C840:4096 @16
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http process request header line
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Depth: 0"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Type: application/xml; charset=utf-8"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Length: 241"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Host: proxy.example.com"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Connection: Keep-Alive"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Encoding: gzip"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Language: en-US, en;q=0.7, *;q=0.5"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Authorization: Basic 1cC5...WUVi"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http header done
	2019/06/30 21:58:14 [info] 41777#41777: *7 client sent no required SSL certificate while reading client request headers, client: 10.0.1.235, server: proxy.example.com, request: "PROPFIND /dav/myuser%40example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/ HTTP/1.1", host: "proxy.example.com"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http finalize request: 496, "/dav/myuser at example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?" a:1, c:1
	2019/06/30 21:58:14 [debug] 41777#41777: *7 event timer del: 15: 91237404
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http special response: 496, "/dav/myuser at example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 http set discard body
	2019/06/30 21:58:14 [debug] 41777#41777: *7 headers more header filter, uri "/dav/myuser at example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 charset: "" > "utf-8"
	2019/06/30 21:58:14 [debug] 41777#41777: *7 HTTP/1.1 400 Bad Request
	Date: Mon, 01 Jul 2019 04:58:14 GMT
	Content-Type: text/html; charset=utf-8
	Content-Length: 230
	Connection: close
	Secure: Groupware Server
	X-Content-Type-Options: nosniff

In comms with the app vendor, I was asked

	Does your proxy send TLS Certificate Request

		https://tools.ietf.org/html/rfc5246#section-7.4.4?

	... the TLS stack which is used ... won't send certificates preemptively, but only when they're requested. In my tests, client certificates are working as expected, but ONLY if the server explicitly requests them.


I don't recognize the preemptive request above.

DOES nginx send such a TLS Certificate Request by default?  Is there a required, additional config to force that request?

More information about the nginx mailing list