Welcome! Log In Create A New Profile

Advanced

ssl_verify_client ends up in 403

Posted by bertalanimre 
Forum List Message List New Topic
bertalanimre
ssl_verify_client ends up in 403
March 27, 2017 08:51AM
Hello Forum,

Anyone ahs an idea how to allow (force) ssl_verify_client? I have done everything that was requested by the manuals, but if I set ssl_verify_client on, then the page recieves a 403, like I couldn't verify the client. This is mainly needed to make braintree payment method available, if anyone have encountered them before.

Can you please help me out with this?

My releated lines in my config file are:

ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;

ssl_client_certificate /etc/nginx/ssl/RapidSSL-CA.crt;
ssl_verify_client optional;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

And inside my first location, I have:
if ($ssl_client_verify != SUCCESS) {
return 403;
}


And before you say: I know IF IS EVIL :) But this one worked like a charm, so I wish to keep it if I can. OFC if I have to remove, but it makes the website working, then so be it.

Regards:
Bert

-----------------------------------------------------
-----------------------------------------------------
More than 50% of the US citizens belive that the bad weather can interrupt your connection to the cloud servers.
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 282
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready