failure to limit access to a secure area with self-signed client SSL cert fingerprint match
PGNet Dev
pgnet.dev at gmail.com
Wed Mar 22 12:48:50 UTC 2023
> Do you have the certificate that has that value as the Subject? What
> is that certificate's Issuer? And repeat until you get to the root
> certificate.
>
> And which of the ssl*certificate files named in your config holds those certificates?
i verified all my certs/chains. all good.
with my orig conf, it appears i can't manage to grab/verify ssl client FP's for other-than-primary domains
this fails to work, errors as reported above,
server {
...
servername example.com;
ssl_verify_client optional;
ssl_verify_depth 2;
ssl_client_certificate "/www/ssl/self-signed/myCA.CHAIN.crt.pem";
ssl_trusted_certificate "/www/ssl/le/deploy/example.com/intermediate_ca.ec.crt.pem";
ssl_certificate "/www/ssl/le/deploy/example.com/fullchain.ec.crt.pem";
ssl_certificate_key "/www/ssl/le/deploy/example.com/priv.ec.key";
location /test {
if ($ssl_client_verify != SUCCESS) { return 403; }
if ($test_ssl_fp_reject) {return 403; }
...
}
OTOH simply splitting the secure subdir out into a separate server{}/subdomain, with separate, self-signed cert
server {
...
servername example.com;
ssl_verify_client off;
ssl_trusted_certificate "/www/ssl/le/deploy/example.com/intermediate_ca.ec.crt.pem";
ssl_certificate "/www/ssl/le/deploy/example.com/fullchain.ec.crt.pem";
ssl_certificate_key "/www/ssl/le/deploy/example.com/priv.ec.key";
}
server {
servername test.example.com;
ssl_verify_client on;
ssl_client_certificate "/www/ssl/self-signed/myCA.CHAIN.crt.pem";
ssl_verify_depth 2;
ssl_certificate "/www/ssl/self-signed/test.example.com.server.ec.crt.pem";
ssl_certificate_key "/www/ssl/self-signed/test.example.com.ec.key.pem";
location / {
if ($ssl_client_verify != SUCCESS) { return 403; }
if ($test_ssl_fp_reject) {return 403; }
...
}
...
}
achieves the intended result -- just not in the same server{} block
More information about the nginx
mailing list