Hello!
On Wed, Apr 29, 2015 at 02:38:24AM -0400, drookie wrote:
Hi.
I'm trying to get nginx 1.6.2 to authenticate users using their client
certificates.
I'm using this configuration (besides usual SSL settings, which are proved
to work):
ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;
trusted.pem contains 3 CA certificates: test CA and 2 production CA (main
and intermediate).
To pass verification data to the application I'm using
fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;
And here comes the issue: when using test CA and test cerificate, I'm
getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting
X-SSL-Verified: FAILED. You can say that there's a problem in my certificate
bunch, but I tried to verify if the production certificate is really issued
by the CA that I think about:
openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK
Looks like it passes the verification. trusted.pem is the same that nginx
uses. In the same time nginx thinks that certificate doesn't pass the test.
Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the
only difference that I get the 400 answer, because the verification fails
explicitely.
Try looking into the error log, it should have details at the info
level.
Most likely, the problem is that you are trying to use
intermediate CAs with the default value of ssl_verify_depth, see
http://nginx.org/r/ssl_verify_depth.
--
Maxim Dounin
http://nginx.org/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
