Hello! On Wed, Sep 19, 2018 at 03:59:58PM -0400, kpuscas wrote:
> Our service uses 2-way ssl with our clients connecting to our systems. With > each new client we add their intermediate and root CA chain to the > concatenated certificates file used by ssl_client_certificate. We recently > upgraded to 1.14.0 (and the included modules) and now some, but not all of > our customers are unable to connect getting 400 errors. We've tried changing > the order of the certificates in the concatenated file but that didn't help. > It is happening across different certificate chains but not all. And all of > them worked fine prior to the upgrade. > > Has anyone else encountered this or is there something we should be doing > different in how we set up these certificates? There were no recent changes in nginx related to client certificate validation. On the other hand, there were changes in OpenSSL - most notably, OpenSSL 1.1.0+ now by default rejects MD5-signed certificates and/or certificates with less than 1024-bit RSA keys. This might be the reason for problems you have with some certificates, assuming you've upgraded not only nginx but also switched to a newer OpenSSL library. You may also want to take a look at nginx error logs. When nginx returns a 400 error, it logs the reason to the error log at the "info" level. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
