Hi, on a host I'd like to send HPKP reports to ssl_verify_client is set to "optional":
ssl_client_certificate /etc/nginx/ssl/CA.pem; ssl_verify_client optional; If HPKP policy fails (for another domain), Chrome (54.0.2840.71 (64-bit)) sends HPKP reports to that reporting host, but the post ends with an "ERR_SSL_CLIENT_AUTH_CERT_NEEDED" error, which in my understanding is not correct, because /hpkp-report path doesn't require a client certificate for authentication. Chrome bug? chrome://net-internals/#events ----------------- 322: URL_REQUEST https://www.example.org/hpkp-report Start Time: 2016-10-30 16:56:20.278 t=4559 [st= 0] +REQUEST_ALIVE [dt=75] t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0] t=4559 [st= 0] +URL_REQUEST_START_JOB [dt=75] --> load_flags = 1618 (BYPASS_CACHE | DISABLE_CACHE | DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES) --> method = "POST" --> priority = "LOWEST" --> upload_id = "0" --> url = "https://www.example.org/hpkp-report" t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0] t=4559 [st= 0] HTTP_CACHE_GET_BACKEND [dt=0] t=4559 [st= 0] +HTTP_STREAM_REQUEST [dt=75] t=4559 [st= 0] HTTP_STREAM_REQUEST_STARTED_JOB --> source_dependency = 323 (HTTP_STREAM_JOB) t=4634 [st=75] HTTP_STREAM_REQUEST_BOUND_TO_JOB --> source_dependency = 323 (HTTP_STREAM_JOB) t=4634 [st=75] -HTTP_STREAM_REQUEST t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0] t=4634 [st=75] CANCELLED --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED) t=4634 [st=75] -URL_REQUEST_START_JOB --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED) t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0] t=4634 [st=75] -REQUEST_ALIVE ----------------- If I type in https://www.example.org/hpkp-report in Chrome's address bar I don't get an SSL error (tested with different clients). Ciao Marcus -- I think we dream so we don't have to be apart so long. If we're in each other's dreams, we can play together all night. -- Calvin _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx