Welcome! Log In Create A New Profile

Advanced

Custom 400 error for client-certificate-authenticated site

Posted by admrt 
Custom 400 error for client-certificate-authenticated site
July 01, 2013 03:00PM
Hi everyone,

I'm using nginx as a Proxy SSL front-end for an application, to encapsulate the security features that the application lacks. The site has to authenticate users with a personal certificate. Everything works fine, execpt the case when the user doesn't send the client certificate. In that case a 400 error is generated with the message "No required SSL certificate was sent". But I cannot change the standard page because the site requires the client certificate.

Any idea on how to do this?

Regards
Re: Custom 400 error for client-certificate-authenticated site
April 10, 2014 04:44PM
Hi,

I have been able to work arround this issue by setting the option "ssl_verify_client" to "optional" instead of "on". After this I used an if statement for checking the variable "$ssl_client_verify" on its value being "NONE" (meaning no valid SSL certificate had been provided). This statement being true, you can redirect your visitors to another url. Otherwise they will continue running the rest of the server code.

In config code this looks like the following:

server {
listen 0.0.0.0:443 ssl;
ssl on;
server_name myserver.mydomain.com;
ssl_certificate_key /my/path/to/my/certificate.key;
ssl_certificate /my/path/to/my/certificate.pem;
ssl_client_certificate /my/path/to/my/ca.crt;
ssl_verify_client optional;
root /my/path/to/my/root/html;

if ($ssl_client_verify = NONE) {
return 303 http://errors.mydomain.com/400.html;
}

location / {
(whatever you want to show your verified visitors);
}
}

Please let me now if this worked for you.

Greetz!
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 118
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready