failure to limit access to a secure area with self-signed client SSL cert fingerprint match

PGNet Dev at
Mon Mar 20 17:51:47 UTC 2023

i run

	nginx -v
		nginx version: nginx/1.23.3 (COPR Build)

the server's setup to use LE certs

	server {

     ssl_trusted_certificate   "/www/sec/le/deploy/";
     ssl_certificate           "/www/sec/le/deploy/";
     ssl_certificate_key       "/www/sec/le/deploy/";

i've a secure area that i want to limit access to clients only with exact-matching ssl cert fingerprints

i've added

     map $ssl_client_fingerprint $test_ssl_fp_reject {
		default 1;
		# cert's SHA1 FP
		01234567890ABCDEFGHIJK1234567890ABCDEFGH 0;
	log_format ssl_client
	    '"Client fingerprint" $ssl_client_fingerprint '
	    '"Client DN" $ssl_client_s_dn ';

	server {
		# attempt the verify, to populate $ssl_client_fingerprint
		ssl_verify_client optional;
		ssl_verify_depth 2;
		ssl_client_certificate "/etc/ssl/cert.pem";
		location /sec/test {
			if ($test_ssl_fp_reject) {return 403; }

			root /www/sec/test;
			try_files /test.php =444;
			fastcgi_pass   phpfpm;
			fastcgi_index  test.php;
			fastcgi_param  PATH_INFO $fastcgi_script_name;
			include fastcgi.conf;
		access_log  /var/log/nginx/ssl.log ssl_client;

the client cert's self-signed with my own CA, and usage's config'd for Client auth,

	openssl x509 -in -text -noout
		        Version: 3 (0x2)
		        Serial Number: 4859 (0x12fb)
		        Signature Algorithm: ecdsa-with-SHA256
		        Issuer: C = US, ST = NY, O =, OU = example.com_CA, CN = example.com_CA_INT, emailAddress = ssl at
		            Not Before: Mar 20 11:17:47 2023 GMT
		            Not After : Mar 17 11:17:47 2024 GMT
		        Subject: C = US, ST = NY, L = New_York, O =, OU = example.com_CA, CN =, emailAddress = ssl at
		        Subject Public Key Info:
		            Public Key Algorithm: id-ecPublicKey
		                Public-Key: (384 bit)
		                ASN1 OID: secp384r1
		                NIST CURVE: P-384
		        X509v3 extensions:
		            X509v3 Basic Constraints:
		            Netscape Cert Type:
		                SSL Client, S/MIME
		            Netscape Comment:
		       CLIENT Certificate
		            X509v3 Subject Key Identifier:
		            X509v3 Authority Key Identifier:
		            X509v3 Key Usage: critical
		                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
		            X509v3 Extended Key Usage:
		                TLS Web Client Authentication, E-mail Protection
		            X509v3 Subject Alternative Name:
		    Signature Algorithm: ecdsa-with-SHA256
		    Signature Value:

i've imported the cert as .pfx into Firefox & Chrome.

i can access

as usual.

now, on access to EITHER of

in browser i get

	400 Bad Request
	The SSL certificate error

while in log, i _do_ see the captured FP & DN,

	tail -f /var/log/nginx/ssl.log

		"Client fingerprint" 01234567890ABCDEFGHIJK1234567890ABCDEFGH "Client DN" emailAddress=ssl at,,OU=example.com_CA,,L=New_York,ST=NY,C=US

if i toggle

	-	ssl_verify_client optional;
	+	ssl_verify_client off;

now, access to

works. but


	403 Forbidden

since the $ssl_client_fingerprint doesn't populate

	tail -f /var/log/nginx/ssl.log

		"Client fingerprint" - "Client DN" -

and, if I turn off ALL client verification, then access to frontend and by secure area works as expected.

what config change's needed to

	(1) keep the site publicly accessible using the LE certs"
	(2) lock down to secure area for exact FP-match access only?

More information about the nginx mailing list