Welcome! Log In Create A New Profile

Advanced

David here - needs help with nginx client ssl cert authentication

Posted by dbring 
David here - needs help with nginx client ssl cert authentication
May 11, 2012 03:25PM
I'm new to nginx, began using it about two months ago for a projec that requires client ssl certificate authentication where the nginx server is running on WS2008SEr2.

I have ssl headers passing OK to the web server behind nginx, but need help (PLEASE HELP) getting nginx to authenticate the client ssl certs.

On my development box, I've created my own ca.crt and ca.key, plus the web server ws.crt and ws.keys (self signed), and also the client cl.crt and cl.key (self-signed with ca.crt).

I understand that Nathan Good got nginx client ssl cert authentication to work as he published in his blog: http://blog.nategood.com/client-side-certificate-authentication-in-ngi

But there are several assumption not covered in his documentation:
1) When creating the server and client SSL certs, is does the CN (common name) parameter have to be the resolved name of the server and client host computers for the nginx client ssl cert authentication to validate (to pass VERIFIED IN $ssl_client_verify)? Currently nginx is only passing NONE in $ssl_client_verify. I specifically created my server.crt and client.crt to match their resolved host names. Googling this seems to say YES.

2) When installing a client ssl certificate to be used for client web SSL authentication, there are many possible properties to assign to the certificate's use. How do we defined those properties to ensure the our desired client.crt will be used/presented for client authentication to nginx? (and that other certificates will NOT be presented for client authentication to nginx?) My client.crt has it's property set for client authentication.

It would help me most of some who has done this could help get this part finished. It seems like it is soooo close.....

Below are some config snippets. nginx starts with no errors. ssl_client_verify always returns "none".

ssl_certificate ../cert/ep192.168.2.98.crt;
ssl_certificate_key ../cert/ep192.168.2.98.key;
ssl_client_certificate ../cert/ca.crt;
ssl_verify_client optional;
...
proxy_set_header Host $host;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header Verify $ssl_client_verify;
proxy_set_header DN $ssl_client_s_dn;

Thanks!!!
David
Re: David here - needs help with nginx client ssl cert authentication
October 10, 2012 05:33AM
I've tried various combinations of burst=2, nodelay, 1r/s or 1r/m, with and without limit_conn, with and without keepalive, with and without "location /", etc... and requests are never being limited, as shown by the access.log entries below:
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 93
Record Number of Users: 5 on December 17, 2014
Record Number of Guests: 180 on December 21, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready