Hi everyone,
Some of our customers are using mTLS to authenticate clients. There have been
complaints that some certificates don’t work
but we don’t know why. To shed some light on the matter, I’ve tried to add more
info to our log format regarding TLS validation:
log-format "%ci:%cp [%tr] (%ID) %ft %b/%s %TR/%Tw/%Tc/%Tr/%Tt %ST %B %CC %CS
%tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslc %sslv %[ssl_fc_has_sni]
%[ssl_c_used] %[ssl_fc_has_crt] %[ssl_c_err] %[ssl_c_ca_err]"
The new elements are
%[ssl_fc_has_sni] %[ssl_c_used] %[ssl_fc_has_crt] %[ssl_c_err] %[ssl_c_ca_err]
As I wanted to know if there is a validation error I added ssl_c_err so I would
be able to look it up in openssl later.
However, whenever I try the config with a bad certificate (e.g. expired, not
yet valid, etc.) I don’t see the log entry at all.
Instead I just get:
https-in/1: SSL client certificate not trusted
Only after I added
crt-ignore-err all
to the bind directive, I did see the actual error code in the log. But then,
the certificate would always validate which is not what I want of course.
Any chance to get a meaningful log message on bad certificates?
Best regards,
Dominik
